RicoSuter / NSwag

The Swagger/OpenAPI toolchain for .NET, ASP.NET Core and TypeScript.
http://NSwag.org
MIT License
6.77k stars 1.29k forks source link

NSwag.MSBuild has security vulnerabilities #2824

Open AndrewKnieriem opened 4 years ago

AndrewKnieriem commented 4 years ago

nswag.msbuild.13.4.2.nupkg has vulnerabilities CVE-2019-1075, CVE-2019-0548, CVE-2019-0564, and CVE-2017-0247.

Related to Microsoft Security Advisory 4021279: Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege.

These vulnerabilities were identified through my company's license of WhiteSource, and as such we can't use this library in production with these issues in place.

RicoSuter commented 4 years ago

Its probably because it still supports older/outdated .net versions

Numpsy commented 3 years ago

Hi,

I work on some projects that use NSwag.MSBuild (13.9.4 at present), and that has recently started to be run through Whitesource, and has similar warnings.

I'm not convinced there is an actual issue here (given that the tool is being run at build time to generate C# clients for use in applications that have no ASP code or hosting at all at runtime, so I don't how the CVEs about runtime denial of service issues can occur?)

However:

Looking at the Microsoft.AspNetCore.* binaries installed by the MSBuild package, it looks to me like the 2.2 binaries installed with the .NET version of the tool are older versions than the 2.2 binaries installed with the .NETCore2.2 version of the tool?

Looking at the change history, the netcoreapp2.2 build was updated in https://github.com/RicoSuter/NSwag/commit/6b35c3e5f5685108673726e0cb687c9892b36e84 and that mentions CVE-2019-1075 (which is one of the issues that Whitesource mentions), so I wonder if it would be possible to update the .net461 references at

https://github.com/RicoSuter/NSwag/blob/1fb4a1af8785d375684b7c16be2ad76d40b422e5/src/NSwag.Commands/NSwag.Commands.csproj#L59

in a similar way?

These are the suggestions from Whitesource for reference

image

gbenthomas commented 2 years ago

Hi @AndrewKnieriem and @Numpsy, I ran into the same issue with WhiteSource. May I ask what you ended up doing to work around this?

@RicoSuter Any plans on updating the dependencies as @Numpsy mentioned?

Thanks!

SafeNuts commented 2 years ago

Hello!

Any updates?

Thanks!

Numpsy commented 2 years ago

I haven't worked on the project I was using NSwag on for a bit and so haven't tried with the current versions, but I have an idea that the .NET 4.x version of NSwag.MSBuild was changed to use Asp.Net Core 2.1 rather than 2.2 at some point (as 2.1 was LTS, and was the most recent still supported version that still worked on .NET Framework?)

RicoSuter commented 2 years ago

What frameworks would we need to remove to avoid these warnings?

image

lahma commented 2 years ago

Based on end-of-life policy could probably drop NetCore21 (that ship sailed a long time ago) and Net50 (just couple weeks until EOL) altogether?

Numpsy commented 2 years ago

One of the issues might have been that Asp.NetCore 2.1 was the last LTS version that supported .NET Framework 4.x, so if you want to support .NET Framework you need to keep using the old libraries? (I can't recall off hand if any of these CVEs were still present in the last 2.1 release or if they were all fixed there though)

Alas I think Whitesource might complain about old versions of libraries being present in the package, even if the consuming application only actually uses the .NET 5/6 version or if the libs aren't even used in a way that is effected by the vulnerabilities :-(

Numpsy commented 1 year ago

On the subject of Whitesource / Mend complaints -

version 13.20.0 of NSwag.MSBuild still contains these three:

image

It's quite possible that none of these issues actually exist in NSwag.MSBuild (denial of service issues in websockets and such) and some of these issues might be eased by the removal of the .NET Core 2.1 builds from the package, but -

It looks like there are still references to the 2.1 versions of some Microsoft.AspNetCore packages for use in .NET 4.6.2 targets (https://github.com/RicoSuter/NSwag/blob/a432103946f13f44807b12ee63333dec22f28a3a/src/NSwag.Commands/NSwag.Commands.csproj#L42C17-L42C17) and there are newer versions of some of the the 2.x libs that get packaged in the MSBuild nuget package, so maybe all the libs referenced by the 4.6.2 targets could be updated to the latest versions?

One specific example - the 14.0.0-preview005 package contains a copy of Microsoft.AspNetCore.Server.Kestrel.Core.dll version 2.1.3 which is listed on https://www.nuget.org/packages/Microsoft.AspNetCore.Server.Kestrel.Core/ as having high severity vulnerabilities, and there is a newer 2.1.25 version that is listed as being clean.

RicoSuter commented 1 year ago

@Numpsy I think this PR https://github.com/RicoSuter/NSwag/pull/4001 will hopefully remove these old things...

Numpsy commented 1 year ago

I'll keep an eye on the Mend reports, but as it stands it looks like the .NET 4.6.2 build of the Console projects still use the ASP.NetCore 2.1 libs - e.g https://github.com/RicoSuter/NSwag/blob/e078e67b8c74c43b90c46c77a233ab75c248d622/src/NSwag.Commands/NSwag.Commands.csproj#L27C15-L27C15

Numpsy commented 1 year ago

Ok, Mend thinks that the 14.0.0 preview 5 package has 2 issues, as compared to the 3 previously:

image

Numpsy commented 1 year ago

As a general side thought on this, together with #4502 - If things get built with the .NET 8 SDK, would there be any value in enabling the new auditing features in NuGet - https://devblogs.microsoft.com/dotnet/announcing-dotnet-8-preview-4/#enabling-security-auditing ?

olegd-superoffice commented 9 months ago

So it looks like NSwag.MSBuild 14.x is not get flagged by Mend/WhiteSource any more after #4561 is merged. I guess this issue can be closed?

Numpsy commented 9 months ago

I'm currently seeing this on a view for one of the projects at work:

image

(Not sure if there are actually any changes in 14.0.2 or it's just not analysed the new package yet)

Numpsy commented 9 months ago

The .NET Framework version of the tool in 14.0.0 contains a copy of Microsoft.AspNetCore.Server.Kestrel.Core.dll version 2.1.3. The listed CVEs suggest updating it to 2.1.7 to get the fix, however the Nuget listing for it says that has vulnerabilities as well, so maybe we could try updating it to the 2.1.25 version that is listed as clean?

image

Maybe a similar situation with Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets as well

olegd-superoffice commented 9 months ago

@Numpsy Yes, looks like it is transitional reference. Can be fixed by explicitly referencing it from the project. Can you get a list of all transitional references which need to be updated, from your scanner?

But CVE-2019-0548 looks totally ridiculous in this case:

The vulnerability affects any Microsoft ASP.NET 1.0/1.1/2.1 Core applications if it is hosted on an IIS server running AspNetCoreModule (ANCM) prior to 12.1.18340.7

Numpsy commented 9 months ago

Alas, Mend doesn't have any 'intelligence' or context - it's just 'the library is here, therefore theres a problem', even if it's things with IIS or websockets or similar that shouldn't effect a command line tool :-(

Can you get a list of all transitional references which need to be updated

Mend is a bit lacking in detailed information here, but fortunately if you're using the .NET 8 SDK and a current Visual Studio 2022 version, the NuGet client will tell you itself:

image

I'm just trying a PR to update the ASP ones.

Numpsy commented 9 months ago

On a related note, if you enable nuget package auditing in the solution, e.g https://github.com/Numpsy/NSwag/commit/264d3db8ce0c082594c41741cff2577c515812f6 then you get warnings from command line builds as well, which may or may not be useful for CI builds? (Or maybe GitHub Actions has something built in to do it, I don't know)

There are a few other warnings in the solution on top of the ones mentioned here, e.g.

image

So i'm not sure if there's anything else that could be checked separately.