search

cnpm / cnpmcore

Private NPM Registry for Enterprise
https://npmmirror.com
MIT License
607 stars 80 forks source link

fix: fix breaking change about RSA_PKCS1_PADDING. #650

Closed hljwkwm closed 7 months ago

hljwkwm commented 7 months ago

问题:

Node.JS安全性修复导致RSA_PKCS1_PADDING不可用,会报出以下错误:

RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809。

该PR用于修复以上问题。

参考链接:https://www.eggjs.org/zh-CN/core/security#revert-cve

socket-security[bot] commented 7 months ago

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/egg-scripts@3.0.0 Transitive: environment, filesystem, network, shell +96 6.74 MB

🚮 Removed packages: npm/egg-scripts@2.17.0

View full report↗︎

fengmk2 commented 7 months ago

是否可以将 RSA_PKCS1_PADDING 改掉?

codecov[bot] commented 7 months ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Comparison is base (26d2ef2) 96.84% compared to head (c055a0c) 96.84%. Report is 1 commits behind head on master.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## master #650 +/- ## ======================================= Coverage 96.84% 96.84% ======================================= Files 180 180 Lines 17598 17598 Branches 2292 2292 ======================================= Hits 17043 17043 Misses 555 555 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

hljwkwm commented 7 months ago

是否可以将 RSA_PKCS1_PADDING 改掉?

这个我不大清楚改掉是否可行,但是通过更新egg-scripts传入revert参数,目前程序是可以正常使用的,可以解决这个报错。

hljwkwm commented 7 months ago

另外补充一下,该问题会导致用户无法登录,接口会返回500。

fengmk2 commented 4 months ago

@hljwkwm 我准备将 CVE-2023-46809 删除,这个会引发安全问题,cnpmcore 并没有依赖这个能力。

fengmk2 commented 4 months ago

https://github.com/cnpm/cnpmcore/pull/683

hljwkwm commented 4 months ago

@hljwkwm 我准备将 CVE-2023-46809 删除,这个会引发安全问题,cnpmcore 并没有依赖这个能力。

Get✅