search

celo-org / celo-monorepo

Official repository for core projects comprising the Celo platform
https://celo.org
Apache License 2.0
684 stars 360 forks source link

fix(deps): update dependency moment to v2.29.4 [security] (release/core-contracts/6) - autoclosed #11069

Closed renovate[bot] closed 2 weeks ago

renovate[bot] commented 2 weeks ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
moment (source) 2.29.1 -> 2.29.4 age adoption passing confidence

[!WARNING] Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Path Traversal: 'dir/../../filename' in moment.locale

CVE-2022-24785 / GHSA-8hfj-j24r-96c4

More information #### Details ##### Impact This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg `fr` is directly used to switch moment locale. ##### Patches This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive). ##### Workarounds Sanitize user-provided locale name before passing it to moment.js. ##### References _Are there any links users can visit to find out more?_ ##### For more information If you have any questions or comments about this advisory: * Open an issue in [moment repo](https://togithub.com/moment/moment) #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N` #### References - [https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4](https://togithub.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4) - [https://nvd.nist.gov/vuln/detail/CVE-2022-24785](https://nvd.nist.gov/vuln/detail/CVE-2022-24785) - [https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5](https://togithub.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5) - [https://github.com/moment/moment](https://togithub.com/moment/moment) - [https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html](https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5) - [https://security.netapp.com/advisory/ntap-20220513-0006](https://security.netapp.com/advisory/ntap-20220513-0006) - [https://www.tenable.com/security/tns-2022-09](https://www.tenable.com/security/tns-2022-09) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-8hfj-j24r-96c4) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).

Moment.js vulnerable to Inefficient Regular Expression Complexity

CVE-2022-31129 / CVE-2023-22467 / GHSA-3xq5-wjfh-ppjc / GHSA-wc69-rhjr-hc9g

More information #### Details ##### Impact * using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs * noticeable slowdown is observed with inputs above 10k characters * users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks ##### Patches The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. ##### Workarounds In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities. ##### References There is an excellent writeup of the issue here: [https://github.com/moment/moment/pull/6015#issuecomment-1152961973](https://togithub.com/moment/moment/pull/6015#issuecomment-1152961973)= ##### Details The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. `moment("(".repeat(500000))` will take a few minutes to process, which is unacceptable. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g](https://togithub.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g) - [https://nvd.nist.gov/vuln/detail/CVE-2022-31129](https://nvd.nist.gov/vuln/detail/CVE-2022-31129) - [https://github.com/moment/moment/pull/6015#issuecomment-1152961973](https://togithub.com/moment/moment/pull/6015#issuecomment-1152961973) - [https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4](https://togithub.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4) - [https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe](https://togithub.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe) - [https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504](https://togithub.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504) - [https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3](https://togithub.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3) - [https://github.com/moment/moment](https://togithub.com/moment/moment) - [https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633](https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633) - [https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html](https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO) - [https://security.netapp.com/advisory/ntap-20221014-0003](https://security.netapp.com/advisory/ntap-20221014-0003) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-wc69-rhjr-hc9g) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).

Release Notes

moment/moment (moment) ### [`v2.29.4`](https://togithub.com/moment/moment/blob/HEAD/CHANGELOG.md#2294) [Compare Source](https://togithub.com/moment/moment/compare/2.29.3...2.29.4) - Release Jul 6, 2022 - [#​6015](https://togithub.com/moment/moment/pull/6015) \[bugfix] Fix ReDoS in preprocessRFC2822 regex ### [`v2.29.3`](https://togithub.com/moment/moment/blob/HEAD/CHANGELOG.md#2293-Full-changelog) [Compare Source](https://togithub.com/moment/moment/compare/2.29.2...2.29.3) - Release Apr 17, 2022 - [#​5995](https://togithub.com/moment/moment/pull/5995) \[bugfix] Remove const usage - [#​5990](https://togithub.com/moment/moment/pull/5990) misc: fix advisory link ### [`v2.29.2`](https://togithub.com/moment/moment/blob/HEAD/CHANGELOG.md#2292-See-full-changelog) [Compare Source](https://togithub.com/moment/moment/compare/2.29.1...2.29.2) - Release Apr 3 2022 Address https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.