search

apostrophecms / apostrophe

A full-featured, open-source content management framework built with Node.js that empowers organizations by combining in-context editing and headless architecture in a full-stack JS environment.
https://apostrophecms.com
Other
4.36k stars 590 forks source link

Potential Security Vulnerabilities #3169

Closed felixlberg closed 3 years ago

felixlberg commented 3 years ago

Environment

node -v
v12.20.1

npm -v
7.17.0

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.2 LTS
Release:    20.04
Codename:   focal

Reproduce

apos create-project test-project
cd test-project
npm install

you get the following output:

npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated request-promise@4.2.6: request-promise has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.3.2: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated messageformat@2.3.0: Package renamed as '@messageformat/core', see messageformat.github.io for more details. 'messageformat' will eventually provide a polyfill for Intl.MessageFormat, once it's been defined by Unicode & ECMA.
npm WARN deprecated core-js@1.2.7: core-js@<3.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.

added 570 packages, and audited 571 packages in 24s

29 packages are looking for funding
  run `npm fund` for details

7 vulnerabilities (1 moderate, 4 high, 2 critical)

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

Run npm audit gives you the following:

# npm audit report

css-what  <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via `npm audit fix --force`
Will install apostrophe@0.4.112, which is a breaking change
node_modules/css-what
  css-select  <=3.1.2
  Depends on vulnerable versions of css-what
  node_modules/css-select
    cheerio  0.19.0 - 1.0.0-rc.3
    Depends on vulnerable versions of css-select
    node_modules/cheerio
      apostrophe  >=0.4.113
      Depends on vulnerable versions of cheerio
      Depends on vulnerable versions of nodemailer
      Depends on vulnerable versions of oembetter
      Depends on vulnerable versions of sanitize-html
      node_modules/apostrophe
      oembetter  >=0.1.14
      Depends on vulnerable versions of cheerio
      node_modules/oembetter

nodemailer  <6.4.16
Severity: critical
Command Injection - https://npmjs.com/advisories/1708
fix available via `npm audit fix --force`
Will install apostrophe@0.4.112, which is a breaking change
node_modules/nodemailer
  apostrophe  >=0.4.113
  Depends on vulnerable versions of cheerio
  Depends on vulnerable versions of nodemailer
  Depends on vulnerable versions of oembetter
  Depends on vulnerable versions of sanitize-html
  node_modules/apostrophe

sanitize-html  <=2.3.1
Severity: moderate
Improper Input Validation - https://npmjs.com/advisories/1675
Improper Input Validation - https://npmjs.com/advisories/1676
fix available via `npm audit fix --force`
Will install apostrophe@0.4.112, which is a breaking change
node_modules/sanitize-html
  apostrophe  >=0.4.113
  Depends on vulnerable versions of cheerio
  Depends on vulnerable versions of nodemailer
  Depends on vulnerable versions of oembetter
  Depends on vulnerable versions of sanitize-html
  node_modules/apostrophe

So I checked the package-lock.json file manually which gave me some additional information:

    "apostrophe": {
      "version": "2.220.1",
      "resolved": "https://registry.npmjs.org/apostrophe/-/apostrophe-2.220.1.tgz",
      "integrity": "sha512-MnhcehAri2dGbMR9NYWdDGmeNf3fiki4PaR4vGiIHm1xPYPM3J9BE30qsn9syyQSTPaYbS7222SctrumkI7J4g==",
      "requires": {
        "@apostrophecms/nunjucks": "^2.5.4",
        "@sailshq/lodash": "^3.10.4",
        "async": "^1.5.2",
        "bless": "^3.0.3",
        "bluebird": "^3.7.1",
        "body-parser": "^1.19.0",
        "cheerio": "^0.22.0",
        "chokidar": "^3.5.1",
        "cli-progress": "^2.1.1",
        "connect-flash": "^0.1.1",
        "connect-multiparty": "^2.2.0",
        "cookie-parser": "^1.4.5",
        "credential": "^2.0.0",
        "cuid": "^1.3.8",
        "deep-get-set": "^0.1.1",
        "diff": "^4.0.1",
        "emulate-mongo-2-driver": "^1.2.3",
        "express": "^4.17.1",
        "express-session": "^1.17.0",
        "glob": "^5.0.15",
        "he": "^0.5.0",
        "heic-to-jpeg-middleware": "^2.0.0",
        "html-to-plaintext": "^0.1.1",
        "html-to-text": "^5.1.1",
        "i18n": "^0.8.6",
        "is-wsl": "^2.2.0",
        "joinr": "^1.0.2",
        "jpeg-exif": "^1.1.4",
        "launder": "^1.5.0",
        "less": "^3.13.1",
        "less-middleware": "^3.1.0",
        "minimatch": "^3.0.4",
        "mkdirp": "^1.0.3",
        "moment": "^2.29.1",
        "moog-require": "^1.1.0",
        "nodemailer": "^4.7.0",
        "oembetter": "^1.0.0",
        "passport": "^0.3.2",
        "passport-local": "^1.0.0",
        "passport-totp": "0.0.2",
        "path-to-regexp": "^1.7.0",
        "performance-now": "^2.1.0",
        "qs": "^6.9.6",
        "regexp-quote": "0.0.0",
        "request": "^2.88.2",
        "request-promise": "^4.2.4",
        "resolve": "^1.20.0",
        "rimraf": "^2.7.1",
        "sanitize-html": "^1.22.1",
        "server-destroy": "^1.0.1",
        "sluggo": "^0.2.0",
        "syntax-error": "^1.3.0",
        "thirty-two": "^1.0.2",
        "tinycolor2": "^1.4.1",
        "uglify-js": "^2.8.29",
        "underscore.string": "^3.3.5",
        "uploadfs": "^1.17.2",
        "xregexp": "^2.0.0",
        "yargs": "^3.32.0"
      }
    },

As described here and shown in the output of npm audit, nodemailer before version 6.4.16 is vulnerable to command injection.

The other vulnerabilities shown in npm audit depend on this 4 dependencies:

  Depends on vulnerable versions of cheerio
  Depends on vulnerable versions of nodemailer
  Depends on vulnerable versions of oembetter
  Depends on vulnerable versions of sanitize-html

Additional information here, here and here

Solution

Apostrophe should update all dependencies to its latest version no minimize vulnerabilities and security risks.

felixlberg commented 3 years ago

To get further information about updates to apostrophe core i cloned this repo and checked packages with npm-check-updates

Checking /home/felix/github/apostrophe/package.json
[====================] 67/67 100%

 eslint                     ^6.5.1  →  ^7.28.0     
 eslint-config-apostrophe   ^2.0.2  →   ^3.4.1     
 eslint-config-standard    ^11.0.0  →  ^16.0.3     
 eslint-plugin-import      ^2.18.2  →  ^2.23.4     
 eslint-plugin-node         ^6.0.1  →  ^11.1.0     
 eslint-plugin-promise      ^3.8.0  →   ^5.1.0     
 eslint-plugin-standard     ^3.1.0  →   ^4.1.0     
 mocha                      ^7.0.0  →   ^9.0.0     
 async                      ^1.5.2  →   ^3.2.0     
 bless                      ^3.0.3  →   ^4.0.4     
 bluebird                   ^3.7.1  →   ^3.7.2     
 chokidar                   ^3.5.1  →   ^3.5.2     
 cli-progress               ^2.1.1  →   ^3.9.0     
 cuid                       ^1.3.8  →   ^2.1.8     
 deep-get-set               ^0.1.1  →   ^1.1.1     
 diff                       ^4.0.1  →   ^5.0.0     
 express-session           ^1.17.0  →  ^1.17.2     
 glob                      ^5.0.15  →   ^7.1.7     
 he                         ^0.5.0  →   ^1.2.0     
 html-to-text               ^5.1.1  →   ^8.0.0     
 i18n                       ^0.8.6  →  ^0.13.3     
 less                      ^3.13.1  →   ^4.1.1     
 mkdirp                     ^1.0.3  →   ^1.0.4     
 moog-require               ^1.1.0  →   ^1.3.0     
 nodemailer                 ^4.7.0  →   ^6.6.1     
 passport                   ^0.3.2  →   ^0.4.1     
 path-to-regexp             ^1.7.0  →   ^6.2.0     
 qs                         ^6.9.6  →  ^6.10.1     
 rimraf                     ^2.7.1  →   ^3.0.2     
 sanitize-html             ^1.22.1  →   ^2.4.0     
 sluggo                     ^0.2.0  →   ^0.3.1     
 syntax-error               ^1.3.0  →   ^1.4.0     
 tinycolor2                 ^1.4.1  →   ^1.4.2     
 uglify-js                 ^2.8.29  →  ^3.13.9     
 uploadfs                  ^1.17.2  →  ^1.18.2     
 xregexp                    ^2.0.0  →   ^5.0.2     
 yargs                     ^3.32.0  →  ^17.0.1

There seems a common problem with npm update here. That is the reason I've used npm-check-updates this has some potential breaking changes cause as you can see above this are mostly major versions to update.

I got additional Information by running npm outdated

async                       1.5.2   1.5.2        3.2.0  node_modules/async                     apostrophe
bless                       3.0.3   3.0.3        4.0.4  node_modules/bless                     apostrophe
cheerio                    0.22.0  0.22.0  1.0.0-rc.10  node_modules/cheerio                   apostrophe
cli-progress                2.1.1   2.1.1        3.9.0  node_modules/cli-progress              apostrophe
cuid                        1.3.8   1.3.8        2.1.8  node_modules/cuid                      apostrophe
deep-get-set                0.1.1   0.1.1        1.1.1  node_modules/deep-get-set              apostrophe
diff                        4.0.2   4.0.2        5.0.0  node_modules/diff                      apostrophe
eslint                      6.8.0   6.8.0       7.28.0  node_modules/eslint                    apostrophe
eslint-config-apostrophe    2.0.2   2.0.2        3.4.1  node_modules/eslint-config-apostrophe  apostrophe
eslint-config-standard     11.0.0  11.0.0       16.0.3  node_modules/eslint-config-standard    apostrophe
eslint-plugin-node          6.0.1   6.0.1       11.1.0  node_modules/eslint-plugin-node        apostrophe
eslint-plugin-promise       3.8.0   3.8.0        5.1.0  node_modules/eslint-plugin-promise     apostrophe
eslint-plugin-standard      3.1.0   3.1.0        5.0.0  node_modules/eslint-plugin-standard    apostrophe
glob                       5.0.15  5.0.15        7.1.7  node_modules/glob                      apostrophe
he                          0.5.0   0.5.0        1.2.0  node_modules/he                        apostrophe
html-to-text                5.1.1   5.1.1        8.0.0  node_modules/html-to-text              apostrophe
i18n                        0.8.6   0.8.6       0.13.3  node_modules/i18n                      apostrophe
less                       3.13.1  3.13.1        4.1.1  node_modules/less                      apostrophe
mocha                       7.2.0   7.2.0        9.0.0  node_modules/mocha                     apostrophe
nodemailer                  4.7.0   4.7.0        6.6.1  node_modules/nodemailer                apostrophe
passport                    0.3.2   0.3.2        0.4.1  node_modules/passport                  apostrophe
path-to-regexp              1.8.0   1.8.0        6.2.0  node_modules/path-to-regexp            apostrophe
rimraf                      2.7.1   2.7.1        3.0.2  node_modules/rimraf                    apostrophe
sanitize-html              1.27.5  1.27.5        2.4.0  node_modules/sanitize-html             apostrophe
sluggo                      0.2.0   0.2.0        0.3.1  node_modules/sluggo                    apostrophe
uglify-js                  2.8.29  2.8.29       3.13.9  node_modules/uglify-js                 apostrophe
xregexp                     2.0.0   2.0.0        5.0.2  node_modules/xregexp                   apostrophe
yargs                      3.32.0  3.32.0       17.0.1  node_modules/yargs                     apostrophe

I'm not an expert with apostrophes core so I can't know updating all this packages would break things in unexpected ways. @boutell maybe you could take a look at this and tell me your opinion about that?

felixlberg commented 3 years ago

I've checked some CHANGELOGS of this dependencies for breaking changes:

nodemailer should have no breaking changes from 4.7.0 to latest: CHANGELOG

cheerio has some breaking changes updating from 0.x to 1.0.0 CHANGELOG

sanitize-html is made by apostrophe so I think you know it the best.

abea commented 3 years ago

Thanks, @felixlberg. We started some work on this in #3042 but there were some blockers as I recall. We definitely have an eye on it.

felixlberg commented 3 years ago

Ok thx for the fast reply. If I can help you guys with something, for example updating the dependencies of apostrophe extensions just let me know...

abea commented 3 years ago

This should all be resolved as of the release on Wednesday, 3.1.0