search

artilleryio / artillery

The complete load testing platform. Everything you need for production-grade load tests. Serverless & distributed. Load test with Playwright. Load test HTTP APIs, GraphQL, WebSocket, and more. Use any Node.js module.
https://www.artillery.io
Mozilla Public License 2.0
8.05k stars 511 forks source link

requirejs vulnerable to prototype pollution #3272

Open MikeMastro13 opened 4 months ago

MikeMastro13 commented 4 months ago

I came across a Prototype Pollution issue in Artillery 2.0.17 the other day through Dependabot. I wanted to see if anyone else's repositories had been flagged for the same issue. From what I can tell, the problematic package is dependency-tree, which relies on RequireJS. The vulnerability arises via the following dependency chain: dependency-tree -> filing-cabinet -> module-lookup-amd -> requirejs. There's also a report on Snyk, which you can find here, detailing the issue found in RequireJS. Fortunately, dependency-tree is only used in one file in Artillery, bom.js, as shown in the code snippet below:

const tree = depTree.toList({
      filename: procPath,
      directory: path.dirname(context.opts.absoluteScriptPath),
      filter: (path) => path.indexOf('node_modules') === -1 // optional
    });

Is there any possibility of swapping this out and removing the dependency?

bernardobridge commented 4 months ago

Hey @MikeMastro13 👋 , thanks for reporting this!

Unfortunately there doesn't seem to be a fix out for this in dependency-tree, and that code in the bom module is fairly core to our distributed tests, so it's not something we can immediately take out.

We will try to do some security updates for the release after next (in 2 weeks), and I'll try to see if dependency-tree are planning on fixing this by then.

osmithelias188 commented 2 months ago

We also need this vulnerability fixed and we also opened an issue with filing cabinet(A dependency of dependency-tree). https://github.com/dependents/node-filing-cabinet/issues/135