OpenZeppelin / openzeppelin-sdk

OpenZeppelin SDK repository for CLI and upgrades.js. No longer actively developed.
MIT License
431 stars 201 forks source link

`@openzeppelin/upgrades` package dependency vulnerabilities #1514

Open ben-kaufman opened 4 years ago

ben-kaufman commented 4 years ago

Hi, when adding the @openzeppelin/upgrades package to my project I receive warnings on package vulnerabilities (running npm audit provides detail). They all seem to arise from the web3 version you use here. Updating the web3 package used here should solve the issue.

abcoathup commented 4 years ago

Hi @ben-kaufman!

We have been able to reproduce this issue by following these steps:

$ mkdir issue1514 && cd issue1514
$ npm init -y
$ npm i @openzeppelin/upgrades@rc
$ npm audit

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Insecure Credential Storage                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ web3                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @openzeppelin/upgrades                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @openzeppelin/upgrades > web3                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/877                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @openzeppelin/upgrades                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @openzeppelin/upgrades > web3 > web3-bzz > swarm-js >        │
│               │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 vulnerabilities (1 low, 1 high) in 36898 scanned packages
  2 vulnerabilities require manual review. See the full report for details.

Thanks so much for reporting it! The project owner will review and triage this issue during the next week.

abcoathup commented 4 years ago

The vulnerabilities are in web3 or it's dependencies and are not fixed in the latest version of web3 (You can check by installing web3@1.2.6). https://github.com/OpenZeppelin/openzeppelin-sdk/issues/700#issuecomment-594127396

The Arbitrary File Write vulnerability should be fixed in a future version of web3 https://github.com/ethereum/web3.js/issues/3399