department-of-veterans-affairs / va.gov-cms

Editor-centered management for Veteran-centered content.
https://prod.cms.va.gov
GNU General Public License v2.0
99 stars 69 forks source link

Dependabot Critical Issue 1 of 3: Upgrade Babel #17100

Open maortiz-27-80 opened 10 months ago

maortiz-27-80 commented 10 months ago

User Story or Problem Statement

As of 01/30/24 as part of compliance with https://github.com/orgs/department-of-veterans-affairs/discussions/5, the CMS team has identified three (3) critical issues that need to be remediated. Details on this issue:

Impact

Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.

Known affected plugins are: [ ] @babel/plugin-transform-runtime [ ] @babel/preset-env when using its useBuiltIns option [ ] Any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator No other plugins under the @babel/ namespace are impacted, but third-party plugins might be.

Users that only compile trusted code are not impacted.

Patches

The vulnerability has been fixed in @babel/traverse@7.23.2.

Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6.

Workarounds

[ ] Upgrade @babel/traverse to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. @babel/core >=7.23.2 will automatically pull in a non-vulnerable version. [ ] If you cannot upgrade @babel/traverse and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions:

Acceptance Criteria

Team

Please check the team(s) that will do this work.

cc: @ndouglas @EWashb @BerniXiongA6 @michelle-dooley @gracekretschmer-metrostar

gracekretschmer-metrostar commented 9 months ago

Email from @ndouglas on 2/5/2024 when asked about this task:

_They're security issues, but should be addressed by or at least include a frontend engineer who is familiar with the appearance and behavior of all of the components. This might cascade into other updates, touch many different parts of the frontend system, and become a substantial amount of work.

The outgoing CMS Team currently doesn't have any frontend engineers, and IIRC the incoming team doesn't either. Accelerated Publishing and Public Websites teams do; it's possible that this ticket should be reassigned or that a discussion should be held about who should be responsible for this.

I also don't know if perhaps the responsibilities of the CMS Team have changed.

Nate._

gracekretschmer-metrostar commented 9 months ago

@edmund-dunn

Hassantariq-MetroStar commented 9 months ago

@gracekretschmer-metrostar Needs someone from the accelerated publishing team or a Front-end developer intervention on this to complete. cc @edmund-dunn

gracekretschmer-metrostar commented 8 months ago

@Hassantariq-MetroStar I spoke to Edmund and we are still responsible for this ticket, but he said that we will need to ask either Accelerated Publishing or the Public Websites team to review and verify the update. When Amanda is back in the office, I will circle back with her to see if this is a task that she could do.

EWashb commented 8 months ago

@gracekretschmer-metrostar this issue will need coordination between either PW or AP. Let me know if you need my help routing. Any support we ask of them will need to be communicated ahead of time so that they may determine the lift and work it into an upcoming sprint dependent on capacity.

gracekretschmer-metrostar commented 8 months ago

Thanks, @EWashb. I will get with @timcosgrove today to discuss a plan of action for their support in reviewing.

gracekretschmer-metrostar commented 7 months ago

Per @timcosgrove: this issue cannot be resolved due to node version constraints. The platform team is working on the update that will allow moving node versions, but they have not gotten there yet.