search

balena-io / balena-cli

The official balena CLI tool.
Apache License 2.0
457 stars 143 forks source link

Vulnerable dependencies #2764

Open oskarwilliams opened 6 months ago

oskarwilliams commented 6 months ago

Description

The balena-cli when installed via npm currently includes 39 vulnerabilities, including 2 critical, which are non patchable. Some of these include using a sub dependency that was last published 10 years ago (optimist). Could some of these vulnerabilities be assessed and looked at?

Expected Behavior

In the ideal world, 0 vulnerabilities when the package is installed with NPM

Actual Behavior

39 vulnerabilities (1 low, 23 moderate, 13 high, 2 critical) and many deprecated packages

Steps to Reproduce the Problem

  1. npm init with just defaults
  2. npm install balena-cli
  3. The below output
❯ npm install balena-cli
npm WARN skipping integrity check for git dependency ssh://git@github.com/balena-io-modules/unbzip2-stream.git 
npm WARN skipping integrity check for git dependency ssh://git@github.com/resin-io-modules/multicast-dns.git 
npm WARN skipping integrity check for git dependency ssh://git@github.com/balena-io-modules/bonjour.git 
npm WARN deprecated @types/nock@11.1.0: This is a stub types definition. nock provides its own type definitions, so you do not need this installed.
npm WARN deprecated @types/is-root@2.1.2: This is a stub types definition. is-root provides its own type definitions, so you do not need this installed.
npm WARN deprecated @types/cli-truncate@2.0.0: This is a stub types definition. cli-truncate provides its own type definitions, so you do not need this installed.
npm WARN deprecated readdir-scoped-modules@1.1.0: This functionality has been moved to @npmcli/fs
npm WARN deprecated debuglog@1.0.1: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @npmcli/move-file@1.1.2: This functionality has been moved to @npmcli/fs
npm WARN deprecated @npmcli/move-file@2.0.1: This functionality has been moved to @npmcli/fs
npm WARN deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated @npmcli/move-file@2.0.1: This functionality has been moved to @npmcli/fs
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated request-promise@4.2.6: request-promise has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated graceful-fs@1.2.3: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm WARN deprecated formidable@1.2.6: Please upgrade to latest, formidable@v2 or formidable@v3! Check these notes: https://bit.ly/2ZEqIau
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated superagent@5.3.1: Please upgrade to v7.0.2+ of superagent.  We have fixed numerous issues with streams, form-data, attach(), filesystem errors not bubbling up (ENOENT on attach()), and all tests are now passing.  See the releases tab for more information at <https://github.com/visionmedia/superagent/releases>.
npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated core-js@3.20.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

added 2139 packages, and audited 2140 packages in 15s

104 packages are looking for funding
  run `npm fund` for details

39 vulnerabilities (1 low, 23 moderate, 13 high, 2 critical)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.
  1. Output of npm audit is 
    
# npm audit report

bl <1.2.3 Severity: moderate Remote Memory Exposure in bl - https://github.com/advisories/GHSA-pp7h-53gx-mx7r fix available via npm audit fix node_modules/balena-cli/node_modules/ghauth/node_modules/bl ghauth <=3.2.1 Depends on vulnerable versions of bl node_modules/balena-cli/node_modules/ghauth

express <4.19.2 Severity: moderate Express.js Open Redirect in malformed URLs - https://github.com/advisories/GHSA-rv95-896h-c2vc fix available via npm audit fix node_modules/balena-cli/node_modules/express

follow-redirects <=1.15.5 Severity: moderate follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp fix available via npm audit fix node_modules/balena-cli/node_modules/follow-redirects

got <11.8.5 Severity: moderate Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97 fix available via npm audit fix node_modules/balena-cli/node_modules/package-json/node_modules/got package-json <=6.5.0 Depends on vulnerable versions of got node_modules/balena-cli/node_modules/package-json latest-version 0.2.0 - 5.1.0 Depends on vulnerable versions of package-json node_modules/balena-cli/node_modules/latest-version update-notifier 0.2.0 - 5.1.0 Depends on vulnerable versions of latest-version node_modules/balena-cli/node_modules/update-notifier

jsonwebtoken <=8.5.1 Severity: moderate jsonwebtoken unrestricted key type could lead to legacy keys usage - https://github.com/advisories/GHSA-8cf7-32gw-wr33 jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959 jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6 fix available via npm audit fix node_modules/balena-cli/node_modules/jsonwebtoken

lodash <=4.17.20 Severity: critical Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574 Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9 Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695 fix available via npm audit fix node_modules/balena-cli/node_modules/publish-release/node_modules/inquirer/node_modules/lodash inquirer <=0.11.4 Depends on vulnerable versions of lodash node_modules/balena-cli/node_modules/publish-release/node_modules/inquirer

lodash.template * Severity: high Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm fix available via npm audit fix node_modules/balena-cli/node_modules/lodash.template @oclif/plugin-warn-if-update-available 1.7.0 || 2.0.0 || 2.1.0 - 3.0.16 Depends on vulnerable versions of lodash.template node_modules/balena-cli/node_modules/@oclif/plugin-warn-if-update-available

minimatch <3.0.5 Severity: high minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3 fix available via npm audit fix node_modules/balena-cli/node_modules/minimatch mocha 5.1.0 - 9.2.1 Depends on vulnerable versions of minimatch Depends on vulnerable versions of nanoid node_modules/balena-cli/node_modules/mocha

minimist <=0.2.3 Severity: critical Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h No fix available node_modules/balena-cli/node_modules/optimist/node_modules/minimist optimist >=0.6.0 Depends on vulnerable versions of minimist node_modules/balena-cli/node_modules/optimist dbus-native Depends on vulnerable versions of optimist Depends on vulnerable versions of put Depends on vulnerable versions of xml2js node_modules/balena-cli/node_modules/dbus-native resin-discoverable-services >=2.0.0 Depends on vulnerable versions of dbus-native node_modules/balena-cli/node_modules/resin-discoverable-services balena-cli Depends on vulnerable versions of @balena/compose Depends on vulnerable versions of balena-preload Depends on vulnerable versions of request Depends on vulnerable versions of resin-discoverable-services Depends on vulnerable versions of update-notifier node_modules/balena-cli

nanoid 3.0.0 - 3.1.30 Severity: moderate Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https://github.com/advisories/GHSA-qrpm-p2h7-hrv2 fix available via npm audit fix node_modules/balena-cli/node_modules/nanoid

nth-check <2.0.1 Severity: high Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr fix available via npm audit fix node_modules/balena-cli/node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/balena-cli/node_modules/css-select svgo 1.0.0 - 1.3.2 Depends on vulnerable versions of css-select node_modules/balena-cli/node_modules/svgo inline-source 6.1.0 - 7.2.0 Depends on vulnerable versions of svgo node_modules/balena-cli/node_modules/inline-source inline-source-cli >=2.0.0 Depends on vulnerable versions of inline-source node_modules/balena-cli/node_modules/inline-source-cli

put * Sensitive Data Exposure in put - https://github.com/advisories/GHSA-v6gv-fg46-h89j No fix available node_modules/balena-cli/node_modules/put

request Severity: moderate Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6 Depends on vulnerable versions of tough-cookie No fix available node_modules/balena-cli/node_modules/request @balena/compose Depends on vulnerable versions of pinejs-client-request Depends on vulnerable versions of request node_modules/balena-cli/node_modules/@balena/compose balena-preload >=10.3.2-233-sh-truncate-exc-feff27b0a0cd5e8ce93564e8a8a25727bd7acffa Depends on vulnerable versions of request Depends on vulnerable versions of request-promise node_modules/balena-cli/node_modules/balena-preload pinejs-client-request Depends on vulnerable versions of request node_modules/balena-cli/node_modules/pinejs-client-request publish-release Depends on vulnerable versions of ghauth Depends on vulnerable versions of inquirer Depends on vulnerable versions of request node_modules/balena-cli/node_modules/publish-release request-promise >=0.0.2 Depends on vulnerable versions of request Depends on vulnerable versions of request-promise-core Depends on vulnerable versions of tough-cookie node_modules/balena-cli/node_modules/request-promise request-promise-core * Depends on vulnerable versions of request node_modules/balena-cli/node_modules/request-promise-core

tar <6.2.1 Severity: moderate Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36 fix available via npm audit fix node_modules/balena-cli/node_modules/tar

tough-cookie <4.1.3 Severity: moderate tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3 No fix available node_modules/balena-cli/node_modules/tough-cookie

trim-newlines <3.0.1 Severity: high Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v fix available via npm audit fix node_modules/balena-cli/node_modules/trim-newlines meow 3.4.0 - 5.0.0 Depends on vulnerable versions of trim-newlines node_modules/balena-cli/node_modules/meow

xml2js <0.5.0 Severity: moderate xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc No fix available node_modules/balena-cli/node_modules/dbus-native/node_modules/xml2js

39 vulnerabilities (1 low, 23 moderate, 13 high, 2 critical)

To address issues that do not require attention, run: npm audit fix

Some issues need review, and may require choosing a different dependency.

oskarwilliams commented 5 months ago

This issue is exacerbated by the fact that the use of npm-shrinkwrap prevents any consumer of the package from overriding the vulnerable dependencies themselves.

aethernet commented 5 months ago

Hello,

Those vulnerabilities are not exploitable in the context of the CLI. We do have plans to upgrade those dependencies but it's not a priority atm.

If you have any reasons to believe that it's exploitable, please contact us privately using security@balena.io.

otaviojacobi commented 4 months ago

Hello @oskarwilliams even though the dependencies above were not exploitable on the CLI, I agree that there are improvements to be done. After a very long chain of dependencies fixes and bumps (see #2771, #2790, #2791, #2797, #2796, #2799) and finally #2800 the latest version of the CLI when installed yields 11 moderate severity vulnerabilities down from 39 vulnerabilities (1 low, 23 moderate, 13 high, 2 critical)

I know this is still not great, but the remaining 11 vulnerabilities will probably take a bit longer to be replaced (or at least the 10 that depend on request module) - The reason for that is first, request is used to communicate with our builders and replacing it with other http client (either got or fetch) is not as trivial as expected as not all the clients have all the same features, and got which is the more complete one would require also moving the entire project to ESM. Moving the project to ESM requires us moving to @oclif/core v4 which has several breaking changes on the ux module that we need to replace (see https://github.com/oclif/core/pull/1059)

I am keeping this issue open until we (or someone on the community, as PRs are welcomed) gets to trackle these.

oskarwilliams commented 4 months ago

Thank you for working your way through these vulnerabilities! I understand the issues you would have going through them so thank for the perseverance.