search

balena-io / balena-cli

The official balena CLI tool.
Apache License 2.0
454 stars 139 forks source link

Vulnerable dependencies #2764

Open oskarwilliams opened 2 months ago

oskarwilliams commented 2 months ago

Description

The balena-cli when installed via npm currently includes 39 vulnerabilities, including 2 critical, which are non patchable. Some of these include using a sub dependency that was last published 10 years ago (optimist). Could some of these vulnerabilities be assessed and looked at?

Expected Behavior

In the ideal world, 0 vulnerabilities when the package is installed with NPM

Actual Behavior

39 vulnerabilities (1 low, 23 moderate, 13 high, 2 critical) and many deprecated packages

Steps to Reproduce the Problem

  1. npm init with just defaults
  2. npm install balena-cli
  3. The below output
❯ npm install balena-cli
npm WARN skipping integrity check for git dependency ssh://git@github.com/balena-io-modules/unbzip2-stream.git 
npm WARN skipping integrity check for git dependency ssh://git@github.com/resin-io-modules/multicast-dns.git 
npm WARN skipping integrity check for git dependency ssh://git@github.com/balena-io-modules/bonjour.git 
npm WARN deprecated @types/nock@11.1.0: This is a stub types definition. nock provides its own type definitions, so you do not need this installed.
npm WARN deprecated @types/is-root@2.1.2: This is a stub types definition. is-root provides its own type definitions, so you do not need this installed.
npm WARN deprecated @types/cli-truncate@2.0.0: This is a stub types definition. cli-truncate provides its own type definitions, so you do not need this installed.
npm WARN deprecated readdir-scoped-modules@1.1.0: This functionality has been moved to @npmcli/fs
npm WARN deprecated debuglog@1.0.1: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @npmcli/move-file@1.1.2: This functionality has been moved to @npmcli/fs
npm WARN deprecated @npmcli/move-file@2.0.1: This functionality has been moved to @npmcli/fs
npm WARN deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated @npmcli/move-file@2.0.1: This functionality has been moved to @npmcli/fs
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated request-promise@4.2.6: request-promise has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated graceful-fs@1.2.3: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm WARN deprecated formidable@1.2.6: Please upgrade to latest, formidable@v2 or formidable@v3! Check these notes: https://bit.ly/2ZEqIau
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated superagent@5.3.1: Please upgrade to v7.0.2+ of superagent.  We have fixed numerous issues with streams, form-data, attach(), filesystem errors not bubbling up (ENOENT on attach()), and all tests are now passing.  See the releases tab for more information at <https://github.com/visionmedia/superagent/releases>.
npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated core-js@3.20.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

added 2139 packages, and audited 2140 packages in 15s

104 packages are looking for funding
  run `npm fund` for details

39 vulnerabilities (1 low, 23 moderate, 13 high, 2 critical)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.
  1. Output of npm audit is 
    
# npm audit report

bl <1.2.3 Severity: moderate Remote Memory Exposure in bl - https://github.com/advisories/GHSA-pp7h-53gx-mx7r fix available via npm audit fix node_modules/balena-cli/node_modules/ghauth/node_modules/bl ghauth <=3.2.1 Depends on vulnerable versions of bl node_modules/balena-cli/node_modules/ghauth

express <4.19.2 Severity: moderate Express.js Open Redirect in malformed URLs - https://github.com/advisories/GHSA-rv95-896h-c2vc fix available via npm audit fix node_modules/balena-cli/node_modules/express

follow-redirects <=1.15.5 Severity: moderate follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp fix available via npm audit fix node_modules/balena-cli/node_modules/follow-redirects

got <11.8.5 Severity: moderate Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97 fix available via npm audit fix node_modules/balena-cli/node_modules/package-json/node_modules/got package-json <=6.5.0 Depends on vulnerable versions of got node_modules/balena-cli/node_modules/package-json latest-version 0.2.0 - 5.1.0 Depends on vulnerable versions of package-json node_modules/balena-cli/node_modules/latest-version update-notifier 0.2.0 - 5.1.0 Depends on vulnerable versions of latest-version node_modules/balena-cli/node_modules/update-notifier

jsonwebtoken <=8.5.1 Severity: moderate jsonwebtoken unrestricted key type could lead to legacy keys usage - https://github.com/advisories/GHSA-8cf7-32gw-wr33 jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959 jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6 fix available via npm audit fix node_modules/balena-cli/node_modules/jsonwebtoken

lodash <=4.17.20 Severity: critical Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574 Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9 Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695 fix available via npm audit fix node_modules/balena-cli/node_modules/publish-release/node_modules/inquirer/node_modules/lodash inquirer <=0.11.4 Depends on vulnerable versions of lodash node_modules/balena-cli/node_modules/publish-release/node_modules/inquirer

lodash.template * Severity: high Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm fix available via npm audit fix node_modules/balena-cli/node_modules/lodash.template @oclif/plugin-warn-if-update-available 1.7.0 || 2.0.0 || 2.1.0 - 3.0.16 Depends on vulnerable versions of lodash.template node_modules/balena-cli/node_modules/@oclif/plugin-warn-if-update-available

minimatch <3.0.5 Severity: high minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3 fix available via npm audit fix node_modules/balena-cli/node_modules/minimatch mocha 5.1.0 - 9.2.1 Depends on vulnerable versions of minimatch Depends on vulnerable versions of nanoid node_modules/balena-cli/node_modules/mocha

minimist <=0.2.3 Severity: critical Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h No fix available node_modules/balena-cli/node_modules/optimist/node_modules/minimist optimist >=0.6.0 Depends on vulnerable versions of minimist node_modules/balena-cli/node_modules/optimist dbus-native Depends on vulnerable versions of optimist Depends on vulnerable versions of put Depends on vulnerable versions of xml2js node_modules/balena-cli/node_modules/dbus-native resin-discoverable-services >=2.0.0 Depends on vulnerable versions of dbus-native node_modules/balena-cli/node_modules/resin-discoverable-services balena-cli Depends on vulnerable versions of @balena/compose Depends on vulnerable versions of balena-preload Depends on vulnerable versions of request Depends on vulnerable versions of resin-discoverable-services Depends on vulnerable versions of update-notifier node_modules/balena-cli

nanoid 3.0.0 - 3.1.30 Severity: moderate Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https://github.com/advisories/GHSA-qrpm-p2h7-hrv2 fix available via npm audit fix node_modules/balena-cli/node_modules/nanoid

nth-check <2.0.1 Severity: high Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr fix available via npm audit fix node_modules/balena-cli/node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/balena-cli/node_modules/css-select svgo 1.0.0 - 1.3.2 Depends on vulnerable versions of css-select node_modules/balena-cli/node_modules/svgo inline-source 6.1.0 - 7.2.0 Depends on vulnerable versions of svgo node_modules/balena-cli/node_modules/inline-source inline-source-cli >=2.0.0 Depends on vulnerable versions of inline-source node_modules/balena-cli/node_modules/inline-source-cli

put * Sensitive Data Exposure in put - https://github.com/advisories/GHSA-v6gv-fg46-h89j No fix available node_modules/balena-cli/node_modules/put

request Severity: moderate Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6 Depends on vulnerable versions of tough-cookie No fix available node_modules/balena-cli/node_modules/request @balena/compose Depends on vulnerable versions of pinejs-client-request Depends on vulnerable versions of request node_modules/balena-cli/node_modules/@balena/compose balena-preload >=10.3.2-233-sh-truncate-exc-feff27b0a0cd5e8ce93564e8a8a25727bd7acffa Depends on vulnerable versions of request Depends on vulnerable versions of request-promise node_modules/balena-cli/node_modules/balena-preload pinejs-client-request Depends on vulnerable versions of request node_modules/balena-cli/node_modules/pinejs-client-request publish-release Depends on vulnerable versions of ghauth Depends on vulnerable versions of inquirer Depends on vulnerable versions of request node_modules/balena-cli/node_modules/publish-release request-promise >=0.0.2 Depends on vulnerable versions of request Depends on vulnerable versions of request-promise-core Depends on vulnerable versions of tough-cookie node_modules/balena-cli/node_modules/request-promise request-promise-core * Depends on vulnerable versions of request node_modules/balena-cli/node_modules/request-promise-core

tar <6.2.1 Severity: moderate Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36 fix available via npm audit fix node_modules/balena-cli/node_modules/tar

tough-cookie <4.1.3 Severity: moderate tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3 No fix available node_modules/balena-cli/node_modules/tough-cookie

trim-newlines <3.0.1 Severity: high Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v fix available via npm audit fix node_modules/balena-cli/node_modules/trim-newlines meow 3.4.0 - 5.0.0 Depends on vulnerable versions of trim-newlines node_modules/balena-cli/node_modules/meow

xml2js <0.5.0 Severity: moderate xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc No fix available node_modules/balena-cli/node_modules/dbus-native/node_modules/xml2js

39 vulnerabilities (1 low, 23 moderate, 13 high, 2 critical)

To address issues that do not require attention, run: npm audit fix

Some issues need review, and may require choosing a different dependency.

oskarwilliams commented 2 weeks ago

This issue is exacerbated by the fact that the use of npm-shrinkwrap prevents any consumer of the package from overriding the vulnerable dependencies themselves.

aethernet commented 2 weeks ago

Hello,

Those vulnerabilities are not exploitable in the context of the CLI. We do have plans to upgrade those dependencies but it's not a priority atm.

If you have any reasons to believe that it's exploitable, please contact us privately using security@balena.io.