search

NASA-PDS / doi-ui

The web interface for the PDS DOI Service providing the ability management PDS archive DOIs. See the DOI Service for more details on the available capabilities. https://nasa-pds.github.io/doi-service/
Apache License 2.0
0 stars 4 forks source link

[SECURITY] Triage and determine severity of dependabot and code scanning vulnerabilities #137

Closed jordanpadams closed 2 years ago

jordanpadams commented 2 years ago

Vulnerability

Describe the vulnerability See https://github.com/NASA-PDS/doi-ui/security/dependabot and https://github.com/NASA-PDS/doi-ui/security/code-scanning

Version

Latest

Engineering Details

This ticket is just to triage the tickets and create new ones for any identified vulnerabilities we need to address.

eddiesarevalo commented 2 years ago

Code Scanning Traige

https://github.com/NASA-PDS/doi-ui/security/code-scanning

1) https://github.com/NASA-PDS/doi-ui/security/code-scanning/1 2) https://github.com/NASA-PDS/doi-ui/security/code-scanning/2 3) https://github.com/NASA-PDS/doi-ui/security/code-scanning/3 4) https://github.com/NASA-PDS/doi-ui/security/code-scanning/4 The xml being parsed comes directly from the doi service. Anything that passed the upload process will be saved. We need to check if someone can inject some scripts in the xml and upload it. If it gets through then it can be sent back to the UI. We can create one ticket for these 4.

5) https://github.com/NASA-PDS/doi-ui/security/code-scanning/5 Noopener is missing from a link tag. This must added in. Will create a ticket for this one.

eddiesarevalo commented 2 years ago

@jordanpadams The dependabot link is broken. I wasn't able to find it on the security section. I can go off of the npm audit though.

eddiesarevalo commented 2 years ago

remaining npm audit report

ansi-html <0.0.8 Severity: high Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9 fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/ansi-html @pmmmwh/react-refresh-webpack-plugin <=0.5.0-rc.6 Depends on vulnerable versions of ansi-html node_modules/@pmmmwh/react-refresh-webpack-plugin react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts webpack-dev-server 2.0.0-beta - 4.7.2 Depends on vulnerable versions of ansi-html Depends on vulnerable versions of chokidar Depends on vulnerable versions of selfsigned node_modules/webpack-dev-server

browserslist 4.0.0 - 4.16.4 Severity: moderate Regular Expression Denial of Service in browserslist - https://github.com/advisories/GHSA-w8qv-6jwh-64r5 fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/react-dev-utils/node_modules/browserslist react-dev-utils 6.0.0-next.03604a46 - 12.0.0-next.60 Depends on vulnerable versions of browserslist Depends on vulnerable versions of immer node_modules/react-dev-utils react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts

ejs <3.1.7 Severity: high Template injection in ejs - https://github.com/advisories/GHSA-phwq-j96m-2c2q fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/ejs @surma/rollup-plugin-off-main-thread <=2.1.0 Depends on vulnerable versions of ejs node_modules/@surma/rollup-plugin-off-main-thread workbox-build 5.0.0-alpha.0 - 6.3.0 Depends on vulnerable versions of @surma/rollup-plugin-off-main-thread node_modules/workbox-build workbox-webpack-plugin 5.0.0-alpha.0 - 5.1.4 || 6.2.2 - 6.3.0 Depends on vulnerable versions of workbox-build node_modules/workbox-webpack-plugin react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts

glob-parent <5.1.2 Severity: high Regular expression denial of service in glob-parent - https://github.com/advisories/GHSA-ww39-953v-wcq6 fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/watchpack-chokidar2/node_modules/glob-parent node_modules/webpack-dev-server/node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/watchpack-chokidar2/node_modules/chokidar node_modules/webpack-dev-server/node_modules/chokidar watchpack-chokidar2 * Depends on vulnerable versions of chokidar node_modules/watchpack-chokidar2 watchpack 1.7.2 - 1.7.5 Depends on vulnerable versions of watchpack-chokidar2 node_modules/watchpack webpack 4.44.0 - 4.46.0 Depends on vulnerable versions of watchpack node_modules/webpack webpack-dev-server 2.0.0-beta - 4.7.2 Depends on vulnerable versions of ansi-html Depends on vulnerable versions of chokidar Depends on vulnerable versions of selfsigned node_modules/webpack-dev-server react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts

immer <9.0.6 Severity: critical Prototype Pollution in immer - https://github.com/advisories/GHSA-33f9-j839-rf8h fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/immer react-dev-utils 6.0.0-next.03604a46 - 12.0.0-next.60 Depends on vulnerable versions of browserslist Depends on vulnerable versions of immer node_modules/react-dev-utils react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts

node-forge <=1.2.1 Severity: high Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765 URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/node-forge selfsigned 1.1.1 - 1.10.14 Depends on vulnerable versions of node-forge node_modules/selfsigned webpack-dev-server 2.0.0-beta - 4.7.2 Depends on vulnerable versions of ansi-html Depends on vulnerable versions of chokidar Depends on vulnerable versions of selfsigned node_modules/webpack-dev-server react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts

nth-check <2.0.1 Severity: moderate Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/css-select svgo 1.0.0 - 1.3.2 Depends on vulnerable versions of css-select node_modules/svgo @svgr/plugin-svgo <=5.5.0 Depends on vulnerable versions of svgo node_modules/@svgr/plugin-svgo @svgr/webpack 4.0.0 - 5.5.0 Depends on vulnerable versions of @svgr/plugin-svgo node_modules/@svgr/webpack react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts postcss-svgo 4.0.0-nightly.2020.1.9 - 5.0.0-rc.2 Depends on vulnerable versions of svgo node_modules/postcss-svgo cssnano-preset-default <=4.0.8 Depends on vulnerable versions of postcss-svgo node_modules/cssnano-preset-default cssnano 4.0.0-nightly.2020.1.9 - 4.1.11 Depends on vulnerable versions of cssnano-preset-default node_modules/cssnano optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.8 Depends on vulnerable versions of cssnano node_modules/optimize-css-assets-webpack-plugin

jordanpadams commented 2 years ago

@eddiesarevalo I just updated permissions. can you try again?

eddiesarevalo commented 2 years ago

@jordanpadams I see it now! Thank you!

eddiesarevalo commented 2 years ago

Dependabot Triage

1) Vulnerability https://github.com/NASA-PDS/doi-ui/security/dependabot/1 Dependency: Postcss Action: Fixed in #136 This doesn't need to be fixed as the source map parsing will only occur at build time. It will never be exposed to the user. A simple audit fixed it either way. Description: Postcss Regular Expression Denial of Service (ReDoS) during source map parsing. Someone can put a super complex string in the postcss setup to cause it to take forever to operate. This can't happen in a built source

2) Vulnerability https://github.com/NASA-PDS/doi-ui/security/dependabot/9 Dependency: immer Action: Will wait until update. Cannot fix until a newer version of react and redux is out. The fix would install react-scripts@5.0.1, which is a breaking change Description: Immer creates a new state by mutating the old one. Here someone can add prototypes to an object on a javascript backend enabling DoS, Authentication bypass, RCE attacks.

3) Vulnerability https://github.com/NASA-PDS/doi-ui/security/dependabot/10 Same as number 2

4) Vulnerability https://github.com/NASA-PDS/doi-ui/security/dependabot/12 Dependency: nth-check Action: Will wait until update. Cannot fix until a newer version of react is out. The fix would install react-scripts@5.0.1, which is a breaking change. This doesn't affect built source code though so we don't need to fix. Description: nth-check parses css nth-checks into more efficitent ones. However it is vulnerable to Inefficient Regular Expression Complexity if someone puts a complex regex in the pre-built css.

5) Vulnerability https://github.com/NASA-PDS/doi-ui/security/dependabot/14 Dependency: node-forge Action: Will wait until update. Cannot fix until a newer version of web pack, and react are out. The fix would install react-scripts@5.0.1, which is a breaking change. Does not affect built source. Description: The regex used for the forge.util.parseUrl API would not properly parse certain inputs resulting in a parsed data structure that could lead to undesired behavior. This happens when running the dev server. Not the built source code.

6) Vulnerability https://github.com/NASA-PDS/doi-ui/security/dependabot/15 Dependency: node-forge Action: fixed in #136
Description: The forge.debug API had a potential prototype pollution issue if called with untrusted input.

7) Vulnerability https://github.com/NASA-PDS/doi-ui/security/dependabot/19 Dependency: node-forge Action: fixed in #136
Description: parseUrl functionality in node-forge mishandles certain uses of backslash such as https:///\ and interprets the URI as a relative path.

8) Vulnerability https://github.com/NASA-PDS/doi-ui/security/dependabot/20 Dependency: node-forge Action: fixed in #136
Description: Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.

9) Vulnerability https://github.com/NASA-PDS/doi-ui/security/dependabot/25 Same as 1. Fixed in #136

10) Vulnerability https://github.com/NASA-PDS/doi-ui/security/dependabot/29 Dependency: ansi-html Action: Will wait until update. Cannot fix until a newer version of web pack, and react are out. The fix would install react-scripts@5.0.1, which is a breaking change. This won’t affect built source code as a user will not be able to use this build tool at run time. Description: This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.

11) Vulnerability https://github.com/NASA-PDS/doi-ui/security/dependabot/30 Dependency: node-forge Action: Will wait until update. Cannot fix until a newer version of web pack, and react are out. The fix would install react-scripts@5.0.1, which is a breaking change. We don’t use RSA tokens or cryptography in our app so we don’t actually need this fix. Description: RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used.

12) Vulnerability https://github.com/NASA-PDS/doi-ui/security/dependabot/31 Same as 11

13) Vulnerability https://github.com/NASA-PDS/doi-ui/security/dependabot/32 Same as 11

14) Vulnerability https://github.com/NASA-PDS/doi-ui/security/dependabot/34 Dependency: ansi-regex Action: fixed in #136
Description: ansi-regex is vulnerable to Inefficient Regular Expression Complexity. This won’t affect built source code as a user will not be able to use this build tool at run time.

15) Vulnerability https://github.com/NASA-PDS/doi-ui/security/dependabot/35 Same as 14

16) Vulnerability https://github.com/NASA-PDS/doi-ui/security/dependabot/36 Dependency: async Action: fixed in #136
Description: A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the mapValues() method.

Will create a ticket that says to lookout for updates to for the vulnerabilities that couldn't be fixed. Numbers 2 immer, 4 nth-check, 5 node-forge, 10 ansi-html, 11 node forge. Or full list: https://github.com/NASA-PDS/doi-ui/security/dependabot/9 https://github.com/NASA-PDS/doi-ui/security/dependabot/12 https://github.com/NASA-PDS/doi-ui/security/dependabot/14 https://github.com/NASA-PDS/doi-ui/security/dependabot/29 https://github.com/NASA-PDS/doi-ui/security/dependabot/30

eddiesarevalo commented 2 years ago

Remaining Vulnerabilties From NPM Audit:

browserslist 4.0.0 - 4.16.4 Severity: moderate Regular Expression Denial of Service in browserslist - https://github.com/advisories/GHSA-w8qv-6jwh-64r5 fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/react-dev-utils/node_modules/browserslist react-dev-utils 6.0.0-next.03604a46 - 12.0.0-next.60 Depends on vulnerable versions of browserslist Depends on vulnerable versions of immer node_modules/react-dev-utils react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts

We don't need a fix for this one since the built code will never expose the browserlist set up. A user will never be able to use the build tool.

ejs <3.1.7 Severity: high Template injection in ejs - https://github.com/advisories/GHSA-phwq-j96m-2c2q fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/ejs @surma/rollup-plugin-off-main-thread <=2.1.0 Depends on vulnerable versions of ejs node_modules/@surma/rollup-plugin-off-main-thread workbox-build 5.0.0-alpha.0 - 6.3.0 Depends on vulnerable versions of @surma/rollup-plugin-off-main-thread node_modules/workbox-build workbox-webpack-plugin 5.0.0-alpha.0 - 5.1.4 || 6.2.2 - 6.3.0 Depends on vulnerable versions of workbox-build node_modules/workbox-webpack-plugin react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts

We don't need a fix for this one since it only affects if used server side.

glob-parent <5.1.2 Severity: high Regular expression denial of service in glob-parent - https://github.com/advisories/GHSA-ww39-953v-wcq6 fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/watchpack-chokidar2/node_modules/glob-parent node_modules/webpack-dev-server/node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/watchpack-chokidar2/node_modules/chokidar node_modules/webpack-dev-server/node_modules/chokidar watchpack-chokidar2 * Depends on vulnerable versions of chokidar node_modules/watchpack-chokidar2 watchpack 1.7.2 - 1.7.5 Depends on vulnerable versions of watchpack-chokidar2 node_modules/watchpack webpack 4.44.0 - 4.46.0 Depends on vulnerable versions of watchpack node_modules/webpack webpack-dev-server 2.0.0-beta - 4.7.2 Depends on vulnerable versions of ansi-html Depends on vulnerable versions of chokidar Depends on vulnerable versions of selfsigned node_modules/webpack-dev-server react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts

We don't need a fix for this one since a user will never be able to use the build tool.

We don't need to fix these right away but I'll create a ticket to update these as soon as possible. I'll merge these three with the dependabot list.

jordanpadams commented 2 years ago

Done per other related tickets