search

RuntimeTools / appmetrics

Node Application Metrics provides a foundational infrastructure for collecting resource and performance monitoring data for Node.js-based applications.
https://developer.ibm.com/open/node-application-metrics/
Apache License 2.0
970 stars 125 forks source link

SHA-1 Weak Authentication Algorithm vulnerability in dependency "request" #647

Open aqan213 opened 3 years ago

aqan213 commented 3 years ago

Our customer reported a vulnerability in bluemix-autoscaling-agent caused by "request" package. The vulnerability reports that 

"The request package is vulnerable to Weak Authentication Algorithm. The function function in oauth.js uses SHA-1 for authentication which is no longer considered cryptographically secure."

The module bluemix-autoscaling-agent uses the latest version appmetrics v5.1.1 and request 2.88.0 is a dependency of node-gyp 5.1.1 which is the dependency of appmetrics.

Here is the hierarchy of the "request" module tracking back to bluemix-autoscaling-agent.

Three instances:

"request": "^2.72.0" is required by
"ibmapm-restclient": "version": "20.8.0" is required by
ibmapm-embed": "version": "20.8.4" is reuired by
"appmetrics": "version": "5.1.1" is required by
"bluemix-autoscaling-agent": "version": "1.0.14"

"request": "^2.88.0", is required by
"node-gyp": "version": "5.1.1" is required by
"appmetrics": "version": "5.1.1", is required by
"bluemix-autoscaling-agent": "version": "1.0.14",

"request": "^2.83.0",
kubernetes-client": {
"version": "3.18.1",
"ibmapm-restclient": {
"version": "20.8.0",
……
"bluemix-autoscaling-agent": {
"version": "1.0.14"

Can you please take a look?

mattcolegate commented 3 years ago

Thanks for this. The solution would be to update our depenceny to a version of node-gyp that doesn't require a version of request. I notice that https://github.com/nodejs/node-gyp/blob/master/package.json still requires request at a level of ^2.88.2. Can you tell me if that version of request still has that vulnerability please?

mattcolegate commented 3 years ago

Acording to https://github.com/request/request/issues/2640 it looks like all versions of request are vulnerable. Solution is therefore to get node-gyp to move away from request. It looks like they already have an issue open for that, https://github.com/nodejs/node-gyp/issues/2047, although it's not looking hopeful. Until that is resolved, appmetrics is unable to do anything.

aqan213 commented 3 years ago

Thanks for the response. How about the other 2 versions request from other 2 package?

"request": "^2.72.0" -->"ibmapm-restclient"--> "ibmapm-embed" --> "appmetrics"

and "request": "^2.83.0" --> kubernetes-client" --> "ibmapm-restclient"--> "ibmapm-embed" --> "appmetrics"

mattcolegate commented 3 years ago

Best handled by raising issues on https://github.com/IBM/node-ibmapm-restclient and https://github.com/godaddy/kubernetes-client

donacarr commented 3 years ago

Hi @mattcolegate , it seems like https://github.com/nodejs/node-gyp/pull/2220 solved issue https://github.com/nodejs/node-gyp/issues/2047 migrating requests to fetch. When do you plan to use the nodejs version containing the fix ?

mattcolegate commented 3 years ago

Hi @donacarr, looks like this is going into node-gyp v8.0.0 https://github.com/nodejs/node-gyp/pull/2346 - when that version releases we can start looking to pull it into appmetrics