search

actions-on-google / actions-on-google-nodejs

Node.js client library for Actions on Google
https://actions-on-google.github.io/actions-on-google-nodejs
Apache License 2.0
900 stars 197 forks source link

npm audit has been reporting vulnerabilities since at least October 2020, please can we update dependencies? #427

Closed JustAnotherGitHubUserYouDontKnow closed 2 years ago

JustAnotherGitHubUserYouDontKnow commented 3 years ago

Here's the latest from today, this library alone is bringing 10 high security vulnerabilities into my project. It seems to be very last of the google libraries to update dependencies since their discovery, by a long long way.

C'mon, don't leave our projects vulnerable for so long.

# npm audit report

axios  <0.21.1
Severity: high
Server-Side Request Forgery - https://npmjs.com/advisories/1594
fix available via `npm audit fix --force`
Will install actions-on-google@1.7.0, which is a breaking change
node_modules/actions-on-google/node_modules/axios
node_modules/gcp-metadata/node_modules/axios
  gcp-metadata  0.5.0 - 4.1.0
  Depends on vulnerable versions of axios
  Depends on vulnerable versions of json-bigint
  node_modules/gcp-metadata
  node_modules/googleapis-common/node_modules/gcp-metadata
  node_modules/googleapis/node_modules/gcp-metadata
    google-auth-library  0.9.4 - 5.10.1
    Depends on vulnerable versions of axios
    Depends on vulnerable versions of gcp-metadata
    Depends on vulnerable versions of gcp-metadata
    Depends on vulnerable versions of gtoken
    node_modules/actions-on-google/node_modules/google-auth-library
    node_modules/googleapis-common/node_modules/google-auth-library
    node_modules/googleapis/node_modules/google-auth-library
      actions-on-google  >=1.8.0
      Depends on vulnerable versions of google-auth-library
      Depends on vulnerable versions of googleapis
      node_modules/actions-on-google
      googleapis  37.0.0-webpack - 48.0.0
      Depends on vulnerable versions of google-auth-library
      node_modules/googleapis
      googleapis-common  0.5.0-webpack - 0.5.0-webpack3 || 0.6.0-webpack - 3.2.2
      Depends on vulnerable versions of google-auth-library
      node_modules/googleapis-common

json-bigint  <1.0.0
Severity: high
Uncontrolled Resource Consumption in json-bigint - https://npmjs.com/advisories/1690
fix available via `npm audit fix --force`
Will install actions-on-google@1.7.0, which is a breaking change
node_modules/json-bigint
  gcp-metadata  0.5.0 - 4.1.0
  Depends on vulnerable versions of axios
  Depends on vulnerable versions of json-bigint
  node_modules/gcp-metadata
  node_modules/googleapis-common/node_modules/gcp-metadata
  node_modules/googleapis/node_modules/gcp-metadata
    google-auth-library  0.9.4 - 5.10.1
    Depends on vulnerable versions of axios
    Depends on vulnerable versions of gcp-metadata
    Depends on vulnerable versions of gcp-metadata
    Depends on vulnerable versions of gtoken
    node_modules/actions-on-google/node_modules/google-auth-library
    node_modules/googleapis-common/node_modules/google-auth-library
    node_modules/googleapis/node_modules/google-auth-library
      actions-on-google  >=1.8.0
      Depends on vulnerable versions of google-auth-library
      Depends on vulnerable versions of googleapis
      node_modules/actions-on-google
      googleapis  37.0.0-webpack - 48.0.0
      Depends on vulnerable versions of google-auth-library
      node_modules/googleapis
      googleapis-common  0.5.0-webpack - 0.5.0-webpack3 || 0.6.0-webpack - 3.2.2
      Depends on vulnerable versions of google-auth-library
      node_modules/googleapis-common

node-forge  <=0.9.2
Severity: high
Prototype Pollution in node-forge - https://npmjs.com/advisories/1561
fix available via `npm audit fix --force`
Will install actions-on-google@1.7.0, which is a breaking change
node_modules/node-forge
  google-p12-pem  <=3.0.2
  Depends on vulnerable versions of node-forge
  node_modules/google-p12-pem
    gtoken  <=5.0.0
    Depends on vulnerable versions of google-p12-pem
    node_modules/gtoken
      google-auth-library  0.9.4 - 5.10.1
      Depends on vulnerable versions of axios
      Depends on vulnerable versions of gcp-metadata
      Depends on vulnerable versions of gcp-metadata
      Depends on vulnerable versions of gtoken
      node_modules/actions-on-google/node_modules/google-auth-library
      node_modules/googleapis-common/node_modules/google-auth-library
      node_modules/googleapis/node_modules/google-auth-library
        actions-on-google  >=1.8.0
        Depends on vulnerable versions of google-auth-library
        Depends on vulnerable versions of googleapis
        node_modules/actions-on-google
        googleapis  37.0.0-webpack - 48.0.0
        Depends on vulnerable versions of google-auth-library
        node_modules/googleapis
        googleapis-common  0.5.0-webpack - 0.5.0-webpack3 || 0.6.0-webpack - 3.2.2
        Depends on vulnerable versions of google-auth-library
        node_modules/googleapis-common

10 high severity vulnerabilities
Michael-Hanley commented 3 years ago

+1

mishushakov commented 2 years ago

npm audit is broken

please read: https://overreacted.io/npm-audit-broken-by-design/

JustAnotherGitHubUserYouDontKnow commented 2 years ago

That article relates to a node app being used to generate static HTML CSS and JS code - it explicitly is NOT referring to a live node app for which untrusted inputs might make their way to that vulnerable code in normal internet-facing usage.

In the case of this library, it is VERY MUCH used in a permanently online, internet-facing context.

Though the vulnerabilities in these nested dependencies are not likely to be implemented or accessible from their specific uses within this library, that is far from guaranteed. It might not be considered a vulnerability to pass options down the line that affect those calls, only a full review of the code (or a creative hacker) could tell me that. And the only automated tool available to tell me that something vulnerable is known along the chain... is npm audit

In any case, google cloud functions (the context in which my server-side code is used) are loaded more efficiently if consistent, recent and therefore internally-cached versions of libraries are used throughout.

Therefore, the dependency issue in this package not only increases the risk that my app may be compromised by hackers (who are, by definition, creative enough to pursue taking advantage of such deeply nested vulnerabilities), but it literally costs me money right now by increasing the cold-start overhead of each instance.

I see no good reason for this package to continue to load old and vulnerable versions of dependencies that all it's peers have long since left behind.

mishushakov commented 2 years ago

sure and i agree with that in theory, but in practice nobody would be go that far, because there is no money to be made by exploiting Actions on Google

of course this doesn't mean the package should keep these vulnerable dependencies unfixed

i'd suggest to either stay away from this package and build the json responses yourself or remove package-lock.json, so that npm always pulls the latest dependency tree

Actions on Google team has a very bad record maintaining their packages (if they don't straight up deprecate them) and are always slow to respond (months slow)

Fleker commented 2 years ago

Hey folks thanks for your feedback. I just got back from a vacation and getting these dependencies updated is going to be a top priority of mine.

Fleker commented 2 years ago

Good afternoon folks, we've just published v3.0.0 which updates to a minimum of Node 12 and updates dependencies.

JustAnotherGitHubUserYouDontKnow commented 2 years ago

Thanks @Fleker, your attention on this is greatly appreciated! 😊