Closed elshize closed 2 months ago
tokoko
commented
2 months ago I doubt this is possible. IIRC you can't use extras to manage contents of the package, only dependencies. We will probably have to tackle this the hard way by upgrading JS packages. One very ugly workaround for you might be building your own docker image which removes unnecessary JS folders.
elshize
commented
2 months ago Thanks @tokoko yeah, unfortunately, I'm very limited in what I can do in terms of workarounds :/
I tried to update the dependencies and submit a PR but I kept getting errors that I don't understand. I imagine it would be a much simpler task for someone who knows what they're doing, so I will just open a ticket for that.
shuchu
commented
2 months ago @elshize do you mind to tell us which Vuln scanner is used or share us how many dependencies were affected? Shall we only handle the results by "yarn audit"?
franciscojavierarceo
commented
2 months ago @elshize can you provide the report of the packages with issues?
elshize
commented
2 months ago @shuchu it is called mend (mend.io).
elshize
commented
2 months ago @franciscojavierarceo thanks, I appreciate it. Unfortunately I'm currently traveling until later next week, so I'll be able to come back to you then
franciscojavierarceo
commented
2 months ago No problem!
elshize
commented
1 month ago @franciscojavierarceo here's a list of the packages I got from a scan today:
*********************************************************************
*
* Vulnerabilities found during image scan
*
*********************************************************************
ID SEVERITY DESCRIPTION
CVE-2022-3517 high A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Se
rvice (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of
Service.
CVE-2020-7753 high All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim()
.
CVE-2024-45590 high body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service
when url encoding is enabled. A malicious actor using a specially crafted payload could flood the ser
ver with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.
CVE-2021-3803 high nth-check is vulnerable to Inefficient Regular Expression Complexity
CVE-2022-23647 high Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Pris
m's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command
line plugin did not properly escape its output, leading to the input text being inserted into the DOM
as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line p
lugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the comma
nd line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all c
ode blocks that use the command line plugin.
CVE-2021-23341 high The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via t
he prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.
CVE-2022-37603 high A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpola
teName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
CVE-2024-45296 high path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will ou
tput a regular expression that can be exploited to cause poor performance. Because JavaScript is singl
e threaded and regex matching runs on the main thread, poor performance will block the event loop and
lead to a DoS. The bad regular expression is generated any time you have two parameters within a singl
e segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All o
ther users should upgrade to 8.0.0.
CVE-2021-32723 high Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Express
ion Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacke
r can craft a string that will take a very very long time to highlight. This problem has been fixed in
Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages
are not affected and can be used to highlight untrusted text.
CVE-2022-46175 high JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by
hand (e.g. for config files). The `parse` method of the JSON5 library before and including versions 1.
0.1 and 2.2.1 does not restrict parsing of keys named `__proto__`, allowing specially crafted strings
to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the obj
ect returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood de
finition of Prototype Pollution. However, polluting the prototype of a single object can have signific
ant security impact for an application if the object is later used in trusted operations. This vulnera
bility could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5
.parse`. The actual impact will depend on how applications utilize the returned object and how they fi
lter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege,
and in extreme cases, remote code execution. `JSON5.parse` should restrict parsing of `__proto__` key
s when parsing JSON strings to objects. As a point of reference, the `JSON.parse` method included in J
avaScript ignores `__proto__` keys. Simply changing `JSON5.parse` to `JSON.parse` in the examples abov
e mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and late
r.
CVE-2020-15138 high Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vu
lnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impa
cts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10
.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To
workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You ne
ed Prism v1.10.0 or newer to apply this workaround.
CVE-2021-3801 medium prism is vulnerable to Inefficient Regular Expression Complexity
CVE-2024-43788 medium Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, ye
t it is also capable of transforming, bundling, or packaging just about any resource or asset. The web
pack developers have discovered a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModu
le`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where
scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute
) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows
a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Web
pack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-sc
ript, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the
gadgets (pieces of js code) living in the existing javascript code to transform it into executable cod
e. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generate
d files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id at
tributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. T
here are no known workarounds for this issue.
CVE-2024-4067 medium The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReD
oS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will gre
edily match anything. By passing a malicious payload, the pattern matching will keep backtracking to t
he input while it doesn't find the closing bracket. As the input size increases, the consumption time
will also increase until it causes the application to hang or slow down. There was a merged fix but fu
rther testing shows the issue persists. This issue should be mitigated by using a safe pattern that wo
n't start backtracking the regular expression due to greedy matching. This issue was fixed in version
4.0.8. Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 should not
reflect the security risk score in NVD, but will be kept for users' awareness.
CVE-2023-44270 medium An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to p
arse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts par
sed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS outpu
t in CSS nodes (rules, properties) despite being included in a comment.
CVE-2023-44270 medium An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to p
arse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts par
sed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS outpu
t in CSS nodes (rules, properties) despite being included in a comment.
CVE-2022-25883 medium Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (Re
DoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r
WS-2020-0208 medium If are you are using Highlight.js to highlight user-provided data you are possibly vulnerable. On the
client-side (in a browser or Electron environment) risks could include lengthy freezes or crashes... O
n the server-side infinite freezes could occur... effectively preventing users from accessing your app
or service (ie, Denial of Service). This is an issue with grammars shipped with the parser (and pote
ntially 3rd party grammars also), not the parser itself. If you are using Highlight.js with any of the
following grammars you are vulnerable. If you are using highlightAuto to detect the language (and hav
e any of these grammars registered) you are vulnerable.
CVE-2023-26115 medium All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) d
ue to the usage of an insecure regular expression within the result variable.\r\r
CVE-2024-43800 medium serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it
- to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.
CVE-2024-43796 medium Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even
after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in exp
ress 4.20.0.
CVE-2024-43799 medium Send is a library for streaming files from the file system as a http response. Send passes untrusted u
ser input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0
.
*********************************************************************
*
* Summary
*
* Vulnerabilities
* Critical: 0
* High: 11
* Medium: 11
* Low: 0
*
********************************************************************
Is your feature request related to a problem? Please describe.
Vulnerability scanners pick up JS packages from
uifolder: https://github.com/feast-dev/feast/tree/master/sdk/python/feast/ui even though I don't actually use it.Describe the solution you'd like
Requiring to install it with
feast[ui]would provide a way to avoid deploying that code if not needed.Describe alternatives you've considered
I looked into disabling certain paths but in my CI this is currently not possible. We may soon have problems deploying any feast code in production, unfortunately.
An alternative would be to keep those JS packages as much up to date as possible. But it would be much better if we didn't have any JS code in our Python deployment.
Additional context
Open to other suggestions how I could force this code out of my deployment but I must use Poetry for dependency management...