search

cdimascio / express-openapi-validator

🦋 Auto-validates api requests, responses, and securities using ExpressJS and an OpenAPI 3.x specification
MIT License
920 stars 211 forks source link

Update path-to-regexp #966

Closed klassm closed 3 weeks ago

klassm commented 2 months ago

Please update to the current version of path-to-express, to mitigate the security vulnerability described in https://github.com/advisories/GHSA-9wv6-86v2-598j. Fix version should be 8.1.0

Thanks :-)!

StevenCederrand commented 2 months ago

8.1.0 would probably be best, but yea, to remove the issue 8.0.0 is enough.

Please and thank you 🙌

Alesyaa103 commented 2 months ago

v0.1.X also needs to be updated to v1.10.0

https://github.com/advisories/GHSA-9wv6-86v2-598j

mmtdm commented 2 months ago

currently this fails npm audit

npm install express-openapi-validator --save

added 120 packages, and audited 121 packages in 3s

17 packages are looking for funding
  run `npm fund` for details

2 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

ex % npm audit
# npm audit report

path-to-regexp  0.2.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
No fix available
node_modules/express-openapi-validator/node_modules/path-to-regexp
  express-openapi-validator  *
  Depends on vulnerable versions of path-to-regexp
  node_modules/express-openapi-validator

2 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.
gauravrajpoot-wmp commented 2 months ago

how to fix this issue. facing same problem

frankkeefer commented 2 months ago

Also having issues using this library.

It looks like the automated PR's to update the library failed due to a build issue. https://github.com/cdimascio/express-openapi-validator/pull/967 https://github.com/cdimascio/express-openapi-validator/pull/968

Looks like this might need a code update to account for the new shape of the functions in the new version of the path-to-regexp library. https://github.com/cdimascio/express-openapi-validator/actions/runs/10797834182/job/29949959459?pr=967

avocadojesus commented 2 months ago

The update is non-trivial, since newer versions of path-to-regexp don't support any of the tests in test/wildcard.path.params.spec.ts (except for the first test). Began working on this, but since I am not a regular contributor to this repo, I didn't feel I had the authority to decide not to support wildcard features, since technically express does support them.

Express 4.20 is using path-to-regexp@0.1.10. I attempted to bring that version into this project as well, but it created 300+ test errors for me, so I defer to the package maintainers for the correct approach here.

To get to the point where only 7 wildcard specs are failing, you can bump path-to-rexexp@8.0.1, and then make the following changes:

Screenshot 2024-09-11 at 11 00 21 AM Screenshot 2024-09-11 at 11 00 52 AM

Not sure what to do from there apart from just deleting the wildcard functionality, any ideas? Seems to me safest approach would be to go back to path-to-regexp@0.1.10, since express uses that version successfully to parse its routes, and it can handle the same wildcard expressions, but that results in massive failures and I don't have the time to look into them.

cvchauhan commented 2 months ago

for version 8.1.0 need to modify code as of now fix version is 6.3.0

s100 commented 2 months ago

Following the release of path-to-regexp@6.3.0, which is patched, express-openapi-validator's dependency on path-to-regexp@^6.2.2 should bring in a safe version of path-to-regexp by default. Downstream consumers are unblocked.

cdimascio commented 2 months ago

The PR above upgrades to path-to-regex to 6.3.0 which resolves the vulnerability. An upgrade to v8.x is still desired. PRs welcome

frankkeefer commented 2 months ago

Found a way to update the code to support path-to-regexp 8.1.0 https://github.com/cdimascio/express-openapi-validator/pull/976. I had to do a pinch of rework in the openapi.spec.loader.ts to handle some of the new expectations for the 8.1.0 versions in setting up the path models. If the PR needs any adjustments let me know.

frankkeefer commented 2 months ago

I did validate that the changes in #976 pass all the current unit tests, and the code changed is covered by the current unit testing. I'm not sure what unit test updates would be needed beyond that.

cvchauhan commented 2 months ago

The PR above upgrades to path-to-regex to 6.3.0 which resolves the vulnerability. An upgrade to v8.x is still desired. PRs welcome

https://github.com/cdimascio/express-openapi-validator/pull/975

cvchauhan commented 2 months ago

Following the release of path-to-regexp@6.3.0, which is patched, express-openapi-validator's dependency on path-to-regexp@^6.2.2 should bring in a safe version of path-to-regexp by default. Downstream consumers are unblocked.

Pr has been raised already https://github.com/cdimascio/express-openapi-validator/pull/979

dogmatic69 commented 2 months ago

Since https://github.com/cdimascio/express-openapi-validator/pull/976 is merged, can a new release be made? 🙏🏻

cdimascio commented 3 weeks ago

fixed. closing this out