search

crisp-im / node-crisp-api

:zap: Crisp API Node Wrapper
https://docs.crisp.chat/guides/rest-api/
MIT License
99 stars 38 forks source link

Security issues with dependencies normalize-url and ws #30

Closed creativityjuice closed 2 years ago

creativityjuice commented 3 years ago

Hi there,

There is 2 security issues with your package that impact our API. Could fix these security issues please :

✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://snyk.io/vuln/SNYK-JS-NORMALIZEURL-1296539] in normalize-url@4.5.0 introduced by node-crisp-api@1.12.2 > got@9.6.0 > cacheable-request@6.1.0 > normalize-url@4.5.0 This issue was fixed in versions: 6.0.1, 5.3.1, 4.5.1

✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://snyk.io/vuln/SNYK-JS-WS-1296835] in ws@7.4.5 introduced by node-crisp-api@1.12.2 > socket.io-client@2.4.0 > engine.io-client@3.5.2 > ws@7.4.5 This issue was fixed in versions: 7.4.6, 6.2.2, 5.2.3

Cheers,

baptistejamin commented 3 years ago

No worries, even if the bot reports this dependencies, you don't be impacted directly to this, because it only affects the server (our own servers), and those are already patched

creativityjuice commented 2 years ago

Hi,

I'm back with my security issues on your package. Could you fix these issues please :

✗ Open Redirect [Medium Severity][https://snyk.io/vuln/SNYK-JS-GOT-2932019] in got@9.6.0 introduced by crisp-api@6.3.0 > got@9.6.0 This issue was fixed in versions: 11.8.5, 12.1.0

✗ Information Exposure [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODEFETCH-2342118] in node-fetch@2.6.1 introduced by crisp-api@6.3.0 > fbemitter@3.0.0 > fbjs@3.0.2 > cross-fetch@3.1.4 > node-fetch@2.6.1 This issue was fixed in versions: 2.6.7, 3.1.1

For information, got@9.6.0 is a release from Jan 2019, so it is maybe time to upgrade even if there is no direct threat for my application.

Cheers,

eliottvincent commented 2 years ago

Hey! I'll take a look at those over the week-end :)

creativityjuice commented 2 years ago

Hey,

Any news ?

baptistejamin commented 2 years ago

As explained above, there is absolutely no risk for both:

  1. normalize-url@4.5.0 is a ReDOS issue affects data: URLs. As this is a REST API client, there is absolutely no data: involved.
  2. ws@7.4.5 can only affect websocket servers. Here it is a WebSocket client.

You can be relax with this. We will likely update in the future those packages

creativityjuice commented 2 years ago

Thanks for your reply. These packages are ok now, I reopened this issue for other packages 25 days ago.

Hi,

I'm back with my security issues on your package. Could you fix these issues please :

✗ Open Redirect [Medium Severity][https://snyk.io/vuln/SNYK-JS-GOT-2932019] in got@9.6.0 introduced by crisp-api@6.3.0 > got@9.6.0 This issue was fixed in versions: 11.8.5, 12.1.0

✗ Information Exposure [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODEFETCH-2342118] in node-fetch@2.6.1 introduced by crisp-api@6.3.0 > fbemitter@3.0.0 > fbjs@3.0.2 > cross-fetch@3.1.4 > node-fetch@2.6.1 This issue was fixed in versions: 2.6.7, 3.1.1

For information, got@9.6.0 is a release from Jan 2019, so it is maybe time to upgrade even if there is no direct threat for my application.

Cheers,

eliottvincent commented 2 years ago

Hey @creativityjuice ! I've just released v6.3.1 which contains the necessary dependencies upgrades.

creativityjuice commented 2 years ago

Hi @eliottvincent,

We have an issue since your last release (6.3.1) with _crispclient.website.createNewConversation. Here is the error returned : {"reason":"error","message":"internal_error","code":500,"data":{"namespace":"request","message":"Got request error: RequestError"}}

It looks like GOT update introduced a bug. Here is the code I use:

const { session_id } = await crisp_client.website.createNewConversation(crisp_config.website_id);

eliottvincent commented 2 years ago

Hey! Can you try using the v6.3.2? There was a bug in the v6.3.1 indeed, as Got changed the way they handle errors, and this wasn't documented in their migration procedure.

creativityjuice commented 2 years ago

Thanks for your fast reply. Indeed it works with the new release. I should have tried that first ;)

eliottvincent commented 2 years ago

Perfect!

creativityjuice commented 1 year ago

Hi there,

There is a new critical security issue on your package. It's related to socket.io and there is a fixed version. I know that it's just a proof of concept, but could you update your package please:

✗ Improper Input Validation [Critical Severity][https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-3091012] in socket.io-parser@4.1.2
    introduced by crisp-api@7.0.0 > socket.io-client@4.4.1 > socket.io-parser@4.1.2
  This issue was fixed in versions: 3.3.3, 3.4.2, 4.0.5, 4.2.1

Thanks a lot,

valeriansaliou commented 1 year ago

socket.io-client has no updated package as of now, we'll wait for an update to be released on their side:https://github.com/socketio/socket.io-client/commits/main

creativityjuice commented 1 year ago

Hi there,

socket.io-client has now a 4.6.1. New and old security issues for you : 

✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783] in http-cache-semantics@4.1.0
    introduced by crisp-api@7.4.1 > got@11.8.5 > cacheable-request@7.0.2 > http-cache-semantics@4.1.0
  This issue was fixed in versions: 4.1.1
  ✗ Improper Input Validation [Critical Severity][https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-3091012] in socket.io-parser@4.1.2
    introduced by crisp-api@7.4.1 > socket.io-client@4.4.1 > socket.io-parser@4.1.2
  This issue was fixed in versions: 3.3.3, 3.4.2, 4.0.5, 4.2.1
  ✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://snyk.io/vuln/SNYK-JS-UAPARSERJS-3244450] in ua-parser-js@0.7.31
    introduced by crisp-api@7.4.1 > fbemitter@3.0.0 > fbjs@3.0.4 > ua-parser-js@0.7.31
  This issue was fixed in versions: 0.7.33, 1.0.33

Could you fix that ?