search

digitalbazaar / jsonld-signatures

An implementation of the Linked Data Signatures specification for JSON-LD. Works in the browser and Node.js.
BSD 3-Clause "New" or "Revised" License
136 stars 41 forks source link

Is it possible to remove the vulnerability introduced by xmldom? #156

Open bestrivens001 opened 3 years ago

bestrivens001 commented 3 years ago

Hi, @dlongley @dmitrizagidulin,

Issue Description

When I build my project, I notice that a vulnerability CVE-2021-21366 detected in package xmldom(<0.5.0) is transitively referenced by jsonld-signatures@5.2.0. However, jsonld-signatures@5.2.0 is so popular that a large number of latest versions of active and popular downstream projects depend on it (about 92 downstream projects, e.g., did-veres-one 13.0.2, @affinityproject/wallet-core-sdk 0.13.3, caelum 1.2.22, @affinityproject/issuer-util 1.0.0-beta.9, @affinityproject/common-lib 0.4.1, etc.). In this case, the vulnerability CVE-2021-21366 can be propagated into these downstream projects and expose security threats to them. As you can see, jsonld-signatures@5.2.0 is introduced into the above projects via the following package dependency paths: (1)@kiltprotocol/vc-export@0.22.1 ➔ vc-js@0.6.4 ➔ jsonld-signatures@5.2.0 ➔ jsonld@2.0.2 ➔ xmldom@0.1.19 (2)hypersign-auth-js-sdk@2.0.6 ➔ hs-ssi-sdk@5.0.1 ➔ did-veres-one@12.2.0 ➔ ocapld@2.0.0 ➔ jsonld-signatures@5.2.0 ➔ jsonld@2.0.2 ➔ xmldom@0.1.19 ......

I know that it's kind of you to have removed the vulnerability since jsonld-signatures@7.0.0. But, in fact, the above large amount of downstream projects cannot easily upgrade jsonld-signatures from version 5.2.0 to (>=7.0.0): The projects such as vc-js, which introduced jsonld-signatures@5.2.0, are not maintained anymore. These unmaintained packages can neither upgrade jsonld-signatures nor be easily migrated by the large amount of affected downstream projects.

Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package jsonld-signatures@5.2.0?

Suggested Solution

Since these inactive projects set a version constaint 5.2.* for jsonld-signatures on the above vulnerable dependency paths, if jsonld-signatures removes the vulnerability from 5.2.0 and releases a new patched version jsonld-signatures@5.2.1, such a vulnerability patch can be automatically propagated into the downstream projects.

In jsonld-signatures@5.2.1, maybe you can try to perform the following upgrade: jsonld ^2.0.2 ➔ ^4.0.0;
Note: jsonld@4.0.0(>=4.0.0) doesn't depend on xmldom any more .

Of course, you are welcome to share other ways to resolve the issue. ^_^

dlongley commented 3 years ago

@davidlehn,

Can you see what the simplest fix here is? Maybe jsonld@2 could have a patch release with a later xmldom -- or maybe that is more challenging, I don't know.

@bestrivens001,

The projects such as vc-js, which introduced jsonld-signatures@5.2.0, are not maintained anymore.

Btw, vc-js is still maintained -- and maintained by the same team that maintains both jsonld and jsonld-signatures. Its npm package name has just changed from vc-js to the scoped @digitabazaar/vc to make maintenance easier. It all uses the same repository though: https://github.com/digitalbazaar/vc-js