cypress-io / cypress

Fast, easy and reliable testing for anything that runs in a browser.
https://cypress.io
MIT License
47k stars 3.18k forks source link

CVE-2021-44906 found on trivy scan for `minimist` dependency #28209

Open eagle-txec opened 12 months ago

eagle-txec commented 12 months ago

Current behavior

Installed version is 0.0.8

Desired behavior

Upgrade fix version is 1.2.6

Test code to reproduce

-

Cypress Version

13.3.3

Node version

16.20.2

Operating System

-

Debug Logs

"VulnerabilityID": "CVE-2021-44906",
          "InstalledVersion": "0.0.8",
          "LastModifiedDate": "2022-04-12T16:52:00Z"
        },
        {
          "CVSS": {
            "nvd": {
              "V2Score": 7.5,
              "V3Score": 9.8,
              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
            },
            "ghsa": {
              "V3Score": 9.8,
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
            },
            "redhat": {
              "V3Score": 9.8,
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
            }
          },
          "Layer": {
            "DiffID": "sha256:e2ddedde812d03ee158150d58a19d4458068fc655e610b0b0e3e95b10b30c6af"
          },
          "PkgID": "minimist@0.0.8",
          "Title": "prototype pollution",
          "CweIDs": [
            "CWE-1321"
          ],
          "Status": "fixed",
          "PkgName": "minimist",
          "PkgPath": "src/.artifacts/.cache/Cypress/13.3.3/Cypress/resources/app/node_modules/mocha-7.0.1/node_modules/minimist/package.json",
          "Severity": "CRITICAL",
          "DataSource": {
            "ID": "ghsa",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm",
            "Name": "GitHub Security Advisory npm"
          },
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-44906",
          "References": [
            "https://access.redhat.com/errata/RHSA-2023:0321",
            "https://access.redhat.com/security/cve/CVE-2021-44906",
            "https://bugzilla.redhat.com/2066009",
            "https://bugzilla.redhat.com/2130518",
            "https://bugzilla.redhat.com/2134609",
            "https://bugzilla.redhat.com/2140911",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2066009",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2130518",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2134609",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2140911",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2142808",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548",
            "https://errata.almalinux.org/9/ALSA-2023-0321.html",
            "https://errata.rockylinux.org/RLSA-2023:0321",
            "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip",
            "https://github.com/advisories/GHSA-xvch-5gv4-984h",
            "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703",
            "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb",
            "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d",
            "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11",
            "https://github.com/minimistjs/minimist/commits/v0.2.4",
            "https://github.com/minimistjs/minimist/issues/11",
            "https://github.com/minimistjs/minimist/pull/24",
            "https://github.com/substack/minimist",
            "https://github.com/substack/minimist/blob/master/index.js#L69",
            "https://github.com/substack/minimist/issues/164",
            "https://linux.oracle.com/cve/CVE-2021-44906.html",
            "https://linux.oracle.com/errata/ELSA-2023-0321.html",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
            "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764",
            "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068",
            "https://www.cve.org/CVERecord?id=CVE-2021-44906"
          ],
          "Description": "Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).",
          "FixedVersion": "1.2.6, 0.2.4",
          "PublishedDate": "2022-03-17T16:15:00Z",

Other

No response

levpachmanov commented 11 months ago

Hey @eagle-txec, We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an minimatch 3.0.4-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app.

Please feel free to reach us at info@seal.security if you have any requests/questions.

shank1290 commented 5 months ago

The issue exists with 13.7.3 as well ---------------------+ | minimist | CVE-2021-44906 | curent version - 0.0.8 | fixed - 1.2.6, 0.2.4 | minimist: prototype pollution | -->avd.aquasec.com/nvd/cve-2021-44906 |

MikeMcC399 commented 4 months ago

To reproduce report, use for example:

trivy image --ignore-unfixed --vuln-type library --severity CRITICAL cypress/included:13.11.0
jennifer-shehane commented 4 months ago

From yarn why

 yarn why minimist
yarn why v1.22.19
[1/4] 🤔  Why do we have the module "minimist"...?
[2/4] 🚚  Initialising dependency graph...
warning Resolution field "pretty-format@26.4.0" is incompatible with requested version "pretty-format@29.4.3"
warning Resolution field "pretty-format@26.4.0" is incompatible with requested version "pretty-format@^27.0.2"
warning Resolution field "vue-template-compiler@2.6.12" is incompatible with requested version "vue-template-compiler@^2.7.14"
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "minimist@1.2.8"
info Has been hoisted to "minimist"
info Reasons this module exists
   - "workspace-aggregator-199e8a63-af5b-4011-b122-b173c4ba507f" depends on it
   - Specified in "devDependencies"
   - Hoisted from "_project_#minimist"
   - Hoisted from "_project_#@packages#electron#minimist"
   - Hoisted from "_project_#@packages#server#minimist"
   - Hoisted from "_project_#check-dependencies#minimist"
   - Hoisted from "_project_#patch-package#minimist"
   - Hoisted from "_project_#prebuild-install#minimist"
   - Hoisted from "_project_#mkdirp#minimist"
   - Hoisted from "_project_#@electron#fuses#minimist"
   - Hoisted from "_project_#autobarrel#minimist"
   - Hoisted from "_project_#http-server#minimist"
   - Hoisted from "_project_#tsconfig-paths#minimist"
   - Hoisted from "_project_#cypress#minimist"
   - Hoisted from "_project_#http-server#ecstatic#minimist"
   - Hoisted from "_project_#@tooling#v8-snapshot#cpr#minimist"
   - Hoisted from "_project_#@cypress#webpack-preprocessor#dependency-check#minimist"
   - Hoisted from "_project_#cypress#dependency-check#minimist"
   - Hoisted from "_project_#loader-utils#json5#minimist"
   - Hoisted from "_project_#tsconfig-paths#json5#minimist"
   - Hoisted from "_project_#@packages#frontend-shared#patch-package#minimist"
   - Hoisted from "_project_#prebuild-install#rc#minimist"
   - Hoisted from "_project_#lerna#strong-log-transformer#minimist"
   - Hoisted from "_project_#@packages#server#tsconfig-paths#minimist"
   - Hoisted from "_project_#@packages#server#firefox-profile#minimist"
   - Hoisted from "_project_#cypress#dependency-check#detective#minimist"
   - Hoisted from "_project_#electron-builder#app-builder-lib#electron-osx-sign#minimist"
   - Hoisted from "_project_#@packages#server#better-sqlite3#prebuild-install#minimist"
   - Hoisted from "_project_#@packages#electron#electron-packager#@electron#osx-sign#minimist"
   - Hoisted from "_project_#lerna#nx#tsconfig-paths#minimist"
   - Hoisted from "_project_#semantic-release#@semantic-release#release-notes-generator#conventional-changelog-writer#handlebars#minimist"
info Disk size without dependencies: "28KB"
info Disk size with unique dependencies: "28KB"
info Disk size with transitive dependencies: "28KB"
info Number of shared dependencies: 0
=> Found "stop-only#minimist@1.2.0"
info This module exists because "_project_#stop-only" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "snap-shot-core#minimist@0.0.8"
info Reasons this module exists
   - "_project_#snap-shot-core#mkdirp" depends on it
   - Hoisted from "_project_#snap-shot-core#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "mocha#minimist@0.0.8"
info Reasons this module exists
   - "_project_#mocha#mkdirp" depends on it
   - Hoisted from "_project_#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "deps-ok#minimist@1.2.0"
info This module exists because "_project_#@cypress#webpack-preprocessor#deps-ok" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "bower-config#minimist@0.2.1"
info This module exists because "_project_#check-dependencies#bower-config" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "mocha-7.0.1#minimist@0.0.8"
info Reasons this module exists
   - "_project_#@packages#server#mocha-7.0.1#mkdirp" depends on it
   - Hoisted from "_project_#@packages#server#mocha-7.0.1#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/example#minimist@0.0.8"
info Reasons this module exists
   - "_project_#@packages#example#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#example#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "cypress#mkdirp#minimist@0.0.8"
info This module exists because "_project_#cypress#mocha#mkdirp" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/network#minimist@0.0.8"
info Reasons this module exists
   - "_project_#@packages#network#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#network#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/config#minimist@0.0.8"
info Reasons this module exists
   - "_project_#@packages#config#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#config#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/data-context#minimist@0.0.8"
info Reasons this module exists
   - "_project_#@packages#data-context#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#data-context#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/driver#minimist@0.0.8"
info Reasons this module exists
   - "_project_#@packages#driver#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#driver#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/errors#minimist@0.0.8"
info Reasons this module exists
   - "_project_#@packages#errors#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#errors#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/packherd-require#minimist@0.0.8"
info Reasons this module exists
   - "_project_#@packages#packherd-require#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#packherd-require#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/scaffold-config#minimist@0.0.8"
info Reasons this module exists
   - "_project_#@packages#scaffold-config#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#scaffold-config#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/telemetry#minimist@0.0.8"
info Reasons this module exists
   - "_project_#@packages#telemetry#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#telemetry#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/v8-snapshot-require#minimist@0.0.8"
info Reasons this module exists
   - "_project_#@packages#v8-snapshot-require#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#v8-snapshot-require#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@tooling/electron-mksnapshot#minimist@0.0.8"
info Reasons this module exists
   - "_project_#@tooling#electron-mksnapshot#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@tooling#electron-mksnapshot#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@tooling/packherd#minimist@0.0.8"
info Reasons this module exists
   - "_project_#@tooling#packherd#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@tooling#packherd#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@tooling/v8-snapshot#minimist@0.0.8"
info Reasons this module exists
   - "_project_#@tooling#v8-snapshot#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@tooling#v8-snapshot#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/server#mkdirp#minimist@0.0.8"
info This module exists because "_project_#@packages#server#mocha#mkdirp" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@tooling/system-tests#minimist@0.0.8"
info Reasons this module exists
   - "_project_#@tooling#system-tests#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@tooling#system-tests#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/driver#multer#minimist@1.2.8"
info Reasons this module exists
   - "_project_#@packages#driver#multer#mkdirp" depends on it
   - Specified in "devDependencies"
   - Hoisted from "_project_#@packages#driver#multer#mkdirp#minimist"
info Disk size without dependencies: "28KB"
info Disk size with unique dependencies: "28KB"
info Disk size with transitive dependencies: "28KB"
info Number of shared dependencies: 0
=> Found "optimist#minimist@0.0.8"
info This module exists because "_project_#@fellow#eslint-plugin-coffee#@fellow#coffeelint2#optimist" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "resize-img#minimist@0.0.8"
info Reasons this module exists
   - "_project_#@packages#icons#to-ico#resize-img#jimp#mkdirp" depends on it
   - Hoisted from "_project_#@packages#icons#to-ico#resize-img#jimp#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
✨  Done in 2.13s.
hjqgloria commented 4 months ago

Hi, installed the latest cypress/included:13.13.0 and still critical security vulnerability image image Command: RUN |6 NODE_VERSION=20.14.0 YARN_VERSION=1.22.22 CHROME_VERSION=126.0.6478.114-1 EDGE_VERSION=126.0.2592.61-1 FIREFOX_VERSION=127.0.1 CYPRESS_VERSION=13.13.0 /bin/sh -c node /opt/installScripts/cypress/install-cypress-version.js ${CYPRESS_VERSION} # buildkit

jennifer-shehane commented 3 months ago

We're open to PRs to fix this. We have no reason to believe this critical vulnerability has any actual exposure with the way Cypress is executed.

hjqgloria commented 3 months ago

We're open to PRs to fix this. We have no reason to believe this critical vulnerability has any actual exposure with the way Cypress is executed.

Ok, how about the other 3 critical? Will they be fixed or the same case as minimist? Or we need to open new issues? image

MikeMcC399 commented 3 months ago

@hjqgloria

The other issues have already been reported.