lsmith77 commented 7 months ago

Prerequisites

@microsoft/teams-manifest "axios": "^0.21.2", see https://www.npmjs.com/package/@microsoft/teams-manifest?activeTab=code

An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

https://github.com/advisories/GHSA-wf5p-g6vw-rhxx

Expected behavior

Move to Version 1.6.0

Context

I shared this information with Microsoft Security Response Center but they closed the case with some bullshit bla bla about not having received enough information. Since I could not find a Github repo for @microsoft/teams-manifest and this package depends on it, and is also maintained by Microsoft, I am opening the ticket here.

However here is my attempt at tagging the NPM maintainers here on Github: @zhyuer, @nintan

Since the security issue is public anyway and any hacker can easily determine vulnerable packages, I guess using a public channel for this isn't making matters worse.

lsmith77 commented 7 months ago

So since https://www.npmjs.com/package/@microsoft/teams-manifest/v/0.1.3-alpha.e662467a1.0?activeTab=code the axios dependency has been removed. But no indication when we can expect a prod release.

millerds commented 7 months ago

That is not the only @microsoft/teams* package this repo has dependencies on that has the axios vulnerability. We are working with that team to take care of this soon, but it involves changes in a variety of place in order to be complete.

lsmith77 commented 7 months ago

Thank you for responding as it is otherwise not possible to reach the relevant team.

lsmith77 commented 6 months ago

partially fixed via https://github.com/OfficeDev/Office-Addin-Scripts/pull/826

lsmith77 commented 6 months ago

@millerds from what I can tell there remains unsolved issues:

axios  0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install office-addin-debugging@4.3.9, which is a breaking change
node_modules/@microsoft/teams-manifest/node_modules/axios
node_modules/@microsoft/teamsfx-api/node_modules/axios
node_modules/@microsoft/teamsfx-core/node_modules/axios
  @microsoft/teams-manifest  <=0.1.2
  Depends on vulnerable versions of axios
  node_modules/@microsoft/teams-manifest
    @microsoft/teamsfx-api  <=0.22.6
    Depends on vulnerable versions of @microsoft/teams-manifest
    Depends on vulnerable versions of axios
    node_modules/@microsoft/teamsfx-api
  @microsoft/teamsfx-core  <=2.0.6
  Depends on vulnerable versions of @microsoft/teamsfx-api
  Depends on vulnerable versions of axios
  node_modules/@microsoft/teamsfx-core
    @microsoft/teamsfx-cli  *
    Depends on vulnerable versions of @microsoft/teamsfx-api
    Depends on vulnerable versions of @microsoft/teamsfx-core
    node_modules/@microsoft/teamsfx-cli
      office-addin-dev-settings  >=1.11.0
      Depends on vulnerable versions of @microsoft/teamsfx-cli
      node_modules/office-addin-dev-settings
        office-addin-debugging  >=4.3.10
        Depends on vulnerable versions of office-addin-dev-settings
        node_modules/office-addin-debugging

7 moderate severity vulnerabilities

ie. https://www.npmjs.com/package/@microsoft/teamsfx-cli?activeTab=dependencies depends on https://www.npmjs.com/package/@microsoft/teamsfx-core?activeTab=dependencies which in turn depends vulnerable versions of axios

https://www.npmjs.com/package/@microsoft/teamsfx-core?activeTab=code

millerds commented 6 months ago

You are correct . . . only some of the vulnerabilities have been fixed . . . still working that that team to have their things fixed.

lsmith77 commented 5 months ago

looks like the latest beta releases finally address this https://www.npmjs.com/package/@microsoft/teamsfx-core/v/2.0.7-beta.2024012307.0?activeTab=code

millerds commented 5 months ago

Looks promising . . . now we just need to see the core cli package take a dependency on a shipped 2.0.7 package.

lsmith77 commented 4 months ago

sigh .. still no 2.0.7 release :-/

millerds commented 3 months ago

I believe it's fixed now.

lsmith77 commented 3 months ago

well ...

# npm audit report

axios  0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix`
node_modules/@azure/identity/node_modules/axios
node_modules/@azure/msal-node/node_modules/axios
node_modules/@microsoft/teams-manifest/node_modules/axios
node_modules/@microsoft/teamsfx-api/node_modules/axios
node_modules/@microsoft/teamsfx-cli/node_modules/axios
node_modules/@microsoft/teamsfx-core/node_modules/axios
  @azure/identity  1.2.0-alpha.20200903.1 - 2.0.0-beta.6
  Depends on vulnerable versions of @azure/msal-node
  Depends on vulnerable versions of axios
  node_modules/@azure/identity
    @microsoft/teamsfx-cli  <=2.0.2-rc-hotfix.0 || >=2.0.3-alpha.313138833.0
    Depends on vulnerable versions of @azure/core-http
    Depends on vulnerable versions of @azure/identity
    Depends on vulnerable versions of @microsoft/teamsfx-api
    Depends on vulnerable versions of @microsoft/teamsfx-core
    Depends on vulnerable versions of axios
    node_modules/@microsoft/teamsfx-cli
      office-addin-dev-settings  1.11.0 - 2.0.4
      Depends on vulnerable versions of @microsoft/teamsfx-cli
      node_modules/office-addin-dev-settings
        office-addin-debugging  4.3.10 - 4.6.7
        Depends on vulnerable versions of office-addin-dev-settings
        node_modules/office-addin-debugging
  @azure/msal-node  <=1.14.5
  Depends on vulnerable versions of axios
  Depends on vulnerable versions of jsonwebtoken
  node_modules/@azure/msal-node
  @microsoft/teams-manifest  <=0.1.3-rc-hotfix.0
  Depends on vulnerable versions of axios
  node_modules/@microsoft/teams-manifest
    @microsoft/teamsfx-api  <=0.22.7-rc-hotfix.0
    Depends on vulnerable versions of @azure/core-http
    Depends on vulnerable versions of @microsoft/teams-manifest
    Depends on vulnerable versions of axios
    node_modules/@microsoft/teamsfx-api
  @microsoft/teamsfx-core  <=2.0.6
  Depends on vulnerable versions of axios
  Depends on vulnerable versions of xml2js
  node_modules/@microsoft/teamsfx-core

jsonwebtoken  <=8.5.1
Severity: moderate
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix`
node_modules/jsonwebtoken

xml2js  <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix`
node_modules/xml2js
  @azure/core-http  <=2.3.1 || 3.0.0-alpha.20221110.1 - 3.0.0
  Depends on vulnerable versions of xml2js
  node_modules/@azure/core-http

lsmith77 commented 3 months ago

ok with some help of Dependabot I have now managed to bump everything up sufficiently.

npm install --save
npm WARN deprecated @azure/msal-node@1.18.4: A newer major version of this library is available. Please upgrade to the latest available version.

added 174 packages, removed 296 packages, changed 19 packages, and audited 1663 packages in 13s

240 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

I guess getting @azure/msal-node bumped would be good but at least isn't a security (known) issue at this point.

OfficeDev / Office-Addin-Scripts

@microsoft/teams-manifest requires an insecure axios version #818

Prerequisites

Expected behavior

Context