Security issue: Downloads Resources over HTTP

[feross]

There is currently an open security advisory about this module from the Node Security Project.

https://nodesecurity.io/advisories/161

Overview

unicode loads unicode data downloaded from unicode.org into nodejs.

Unicode downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks.

Remediation

No fix is currently available for this vulnerability.

It is our recommendation to not install or use this module at this time.

[feross]

There does not appear to be an https version of the unicode data URL. Would you be willing to include an offline copy of the data in the package, fetched at publish time?

[HansHammel]

put the dowbload code in a prepublish/build script and add the file to your package

[feross]

@HansHammel That solution requires every user of this package to do unnecessary extra work. Let's solve it once, correctly, in this package so that all users aren't exposed to man-in-middle attacks because of insecure http requests.

[HansHammel]

as I said, put the file in the code

[feross]

@HansHammel I think you're either trolling me, or just misunderstanding what I wrote. I suggest rereading this thread before commenting further.

@dodo Any thoughts on this issue? Would you accept a PR that downloads UnicodeData.txt at publish time and includes it in this package? This would resolve the outstanding Node.js Security Advisory against this package.

[HansHammel]

No, seriously, why do you have to download the file? Is there any reason you cannot embed it and update it only on new package releases (publish)!? Do it like those guys or use their link (trustworthy!?) https://github.com/latex3/unicode-data/blob/master/UnicodeData.txt , https://fossies.org/linux/misc/Pike-v8.0.388.tar.gz/Pike-v8.0.388/src/UnicodeData.txt?m=t, http://downloads.sourceforge.net/project/unitsofmeasurementforada/sources/test_strings_edit/UnicodeData.txt I would use pre-release curl command in or something...

[feross]

@HansHammel You're advocating for the same thing that I am. Download the file right before a release.

[viki53]

Any advancement on that? I can't push my project into production if there's a security flaw, as our CI runs nsp check before deploying.

As it uses this package, it would be great to have a definitive solution…

[srl295]

https coming soon

[schmidsi]

If it will be loaded over HTTPS, it is still an issue if the unicode server goes down or throttles downloads as discussed in #25 and other issues in this repo.

Especially on Mac OS, where you can't simply sudo apt-get install unicode-data. Therefore, I am +1 for @feross & @HansHammel's solution to simply include it into this repo.

[antoine-pous]

Moreover sourceforge is far from reliable. Store this file directly in the module is the best way to avoid problems and improve human validation.

[tdanecker]

Hi,

I just created a pull request, doing this, as we have the same issue: https://github.com/dodo/node-unicodetable/pull/28

I'd by happy about any reviews ;)

We at eversports.com also depend on quite some packages using this one and at the moment it breaks our development and deployment processes. I also just wrote to the npmjs support team about this, because the package seems quite orphaned.

If someone wants to join maintaining the package, please don't hesitate getting in touch with me. I hope I'll get a quick response from the npmjs team. We'll see...

[tonglil]

/popcorn

[laduke]

adding

addons:

  apt:
    packages:
    - unicode-data

seems to help if you're on travis-ci

[tdanecker]

Hello everyone!

I just published a new version on npm and thereby directly adopted the unicode version scheme, so the new version is 9.0.0. The slug package should automatically use this new version.

You find the new fork here: https://github.com/eversport/node-unicodetable

Feel free to create or move any issues there! Also, anyone who wants to join maintaining or just create new pull requests is very welcome!

The new version also provides the category/*.js files directly, so there is no need to download a file from unicode.org anymore during install.

[srl295]

@tdanecker also see #16