linear[bot]
commented
2 years ago PRO-3136 [Michelin] Fix xlsx vulnerability reported via Qualsys or Gitlab scanning.
Michelin had reported some vulnerabilities in the container and Apostrophe modules that need to updated based on reports in the MS Azure Security Defender, which uses Qualys scanning or Gitlab scanning. Per Stéphane the **xlsx vulnerability** is regarded as quite important. Currently `apostrophe-tiptap-rich-text-widgets` and `apostrophe-pieces-import` do have a denial-of-service vulnerability. However this vulnerability can be exploited only by Apostrophe content editors (people with editing permissions in your environment). Practically speaking those somewhat trusted parties have other ways to create a denial of service, such as repetitively uploading large images, although there is a small chance someone could encourage them to upload a bad Excel file to the site. See: [https://gitlab-dcadcx.michelin.net/pa/apostrophe-enhancements/-/issues/1162](https://gitlab-dcadcx.michelin.net/pa/apostrophe-enhancements/-/issues/1162) **Acceptance Criteria** * upgrade the offending npm package (xlsx) to the latest major version in both modules * verify xlsx import still works — fix any problems caused by bc breaks in the xlsx module Update the Michelin Support Stream ticket with relevant info in a comment, or get Lindsay to do so.
Summary
Fixes a denial-of-service vulnerability by bumping
xlsxpackage to its latest version.What are the specific steps to test this change?
npm i github:apostrophecms/apostrophe-tiptap-rich-text-widgets#pro-3136-xlsx'apostrophe-tiptap-rich-text-widgets': {},to app.js'apostrophe-rich-text'widgets from lib/modules/apostrophe-pages/views/pages/home.html as below:npm run startWhat kind of change does this PR introduce?
(Check at least one)
Make sure the PR fulfills these requirements:
If adding a new feature without an already open issue, it's best to open a feature request issue first and wait for approval before working on it.
Other information: