search

airgap-it / beacon-sdk

The beacon sdk allows developers of dApps and wallets on Tezos to implement the wallet interaction standard tzip-10.
https://walletbeacon.io
MIT License
101 stars 65 forks source link

Axios Cross-Site Request Forgery Vulnerability #670

Closed BearCooder closed 8 months ago

BearCooder commented 11 months ago

The Axios Cross-Site Request Forgery Vulnerability was published 2 weeks ago. Github Vulnerability Details

I just got noticed after installing the dependencies. It seems Beacon SDK uses a vulnerable Axios version? I have the latest Beacon and Taquito versions installed.

# npm audit report

axios  0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install @taquito/taquito@14.2.0, which is a breaking change
node_modules/@taquito/http-utils/node_modules/axios
node_modules/axios
  @airgap/beacon-transport-matrix  *
  Depends on vulnerable versions of axios
  node_modules/@airgap/beacon-transport-matrix
    @airgap/beacon-dapp  *
    Depends on vulnerable versions of @airgap/beacon-transport-matrix
    node_modules/@airgap/beacon-dapp
      @taquito/beacon-wallet  >=12.0.0-beta-RC.0
      Depends on vulnerable versions of @airgap/beacon-dapp
      Depends on vulnerable versions of @taquito/taquito
      node_modules/@taquito/beacon-wallet
    @airgap/beacon-sdk  >=2.4.0-beta.0
    Depends on vulnerable versions of @airgap/beacon-dapp
    Depends on vulnerable versions of @airgap/beacon-transport-matrix
    Depends on vulnerable versions of @airgap/beacon-wallet
    node_modules/@airgap/beacon-sdk
    @airgap/beacon-wallet  *
    Depends on vulnerable versions of @airgap/beacon-transport-matrix
    node_modules/@airgap/beacon-wallet
  @taquito/http-utils  >=12.0.0-beta-RC.0
  Depends on vulnerable versions of axios
  node_modules/@taquito/http-utils
    @taquito/rpc  12.0.0-beta-RC.0 - 14.2.0-beta-RC.0 || >=15.0.0-beta-RC.0
    Depends on vulnerable versions of @taquito/http-utils
    node_modules/@taquito/rpc
      @taquito/michelson-encoder  12.0.0-beta-RC.0 - 13.0.1 || >=15.0.0-beta-RC.0
      Depends on vulnerable versions of @taquito/rpc
      node_modules/@taquito/michelson-encoder
      @taquito/taquito  12.0.0-beta-RC.0 - 14.2.0-beta-RC.0 || >=15.0.0-beta-RC.0
      Depends on vulnerable versions of @taquito/http-utils
      Depends on vulnerable versions of @taquito/michelson-encoder
      Depends on vulnerable versions of @taquito/rpc
      node_modules/@taquito/taquito
BearCooder commented 10 months ago

FYI as this is also in Taquito. Taquito is replacing axios with native Fetch as Fetch is a built in feature in Node, so no package imports are necessary. So this way this issue will resolve itself with the new release. https://github.com/ecadlabs/taquito/issues/2735#issuecomment-1828866203

IsaccoSordo commented 10 months ago

Hey @BearCooder, Thanks for bringing up this issue. Currently, we're sticking with axios, but we might swap it out for fetch down the line. Appreciate it!

IsaccoSordo commented 8 months ago

This issue should be solved since v4.1.1