elastic / apm-nodejs-http-client

**Moved to elastic/apm-agent-nodejs.** A low-level Node.js HTTP client for communicating with the Elastic APM intake API
MIT License
21 stars 30 forks source link

Audit failure due to a vulnerability in semver #201

Closed sefiros1 closed 1 year ago

sefiros1 commented 1 year ago

Library semver <7.5.2 has a vulnerability: https://github.com/advisories/GHSA-c2qf-rxjj-qqgw

Script npm audit fail due error:

                       === npm audit security report ===                        

# Run  npm install semver@7.5.3  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘

# Run  npm install --save-dev nyc@15.1.0  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nyc [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nyc > test-exclude > read-pkg-up > read-pkg >                │
│               │ normalize-package-data > semver                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘

# Run  npm install --save-dev standard@17.1.0  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard > eslint > cross-spawn > semver                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nyc [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nyc > istanbul-lib-instrument > semver                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nyc [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nyc > make-dir > semver                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nyc [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nyc > caching-transform > make-dir > semver                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 6 moderate severity vulnerabilities in 365 scanned packages
  3 vulnerabilities require semver-major dependency updates.
  3 vulnerabilities require manual review. See the full report for details.
trentm commented 1 year ago

@sefiros1 Thanks for opening the issue.

semver@6 is used in this module elastic-apm-http-client and in elastic-apm-node (the module for this this repo exists):

elastic-apm-node@3.47.0 /Users/trentm/el/apm-agent-nodejs
├─┬ elastic-apm-http-client@11.4.0
│ └── semver@6.3.0 deduped
└── semver@6.3.0

The vuln is a ReDoS vuln when untrusted input is given to semver.Range, also indirectly used by semver.satisfies(ver, range). The latter is used in many places in this code. However, in none of them is untrusted input given to the "range" argument. I suppose one arguable usage is this:

lib/opentelemetry-metrics/index.js
18:const isOTelMetricsFeatSupported = semver.satisfies(process.version, _supportRange)

However, that _supportsRange is from "node_modules/@opentelemetry/sdk-metrics/package.json". If that has been compromised in the install of this package, then the security game is up already. In conclusion: I don't think this package is affected by this vulnerability in semver.


Normally, one would just update to a fixed version of semver and move on. However, there isn't one that we can use. Currently per https://github.com/npm/node-semver/pull/564#issuecomment-1604502152 there is only a released fix for semver@7 and no current plans to backport.

We cannot use semver@7 because it's minimum supported Node.js version is v10. This package, elastic-apm-node@3, currently supports back to Node.js v8.6. (Note that we are currently planning a v4 major version bump that will drop support for Node.js v8. For that version we will upgrade our semver dependency.


I realize that this means we will fail npm audit until elastic-apm-node@4 is released (there is no current release date plan for that). Hopefully that is not too disruptive for users.