Crash in HeaderParser in dicer

[kirank21]

Installed package firebase-admin@^10.0.2 which has dependency upon dicer "^0.3.0".

GitHub Advisory has notified me regarding the Crash in HeaderParser in dicer with High severity status.

Please help me fix this security issue.

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[BowTiedSwan]

Hi team, this issue seems to be critical as the dicer package hasn't had a patch fixing it:

[mgav]

"…affects all versions of package dicer."

Running "npm audit report" for me yields:

dicer * Severity: high Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2 fix available vianpm audit fix --force` Will install firebase-functions@2.3.1, which is a breaking change node_modules/dicer busboy <=0.3.1 Depends on vulnerable versions of dicer node_modules/busboy @apollographql/graphql-upload-8-fork * Depends on vulnerable versions of busboy node_modules/@apollographql/graphql-upload-8-fork apollo-server-core 2.21.0-alpha.0 - 2.25.4 Depends on vulnerable versions of @apollographql/graphql-upload-8-fork node_modules/apollo-server-core apollo-server-express 2.0.1 || 2.21.0-alpha.0 - 2.25.4 Depends on vulnerable versions of apollo-server-core node_modules/apollo-server-express @vue/cli-ui >=5.0.0-alpha.0 Depends on vulnerable versions of apollo-server-express node_modules/@vue/cli-ui @vue/cli >=5.0.0-alpha.0 Depends on vulnerable versions of @vue/cli-ui node_modules/@vue/cli firebase-admin >=7.1.0 Depends on vulnerable versions of dicer node_modules/firebase-admin firebase-functions >=3.0.0 Depends on vulnerable versions of firebase-admin node_modules/firebase-functions

9 high severity vulnerabilities

To address all issues (including breaking changes), run: npm audit fix --force`

Here's a link to the official "npm audit" docs: https://docs.npmjs.com/cli/v8/commands/npm-audit

Of course "npm audit fix --force" can create other problems.

CharithJ writes* "Most of the time do not do this. Running audit fix will update some of the packages but not all their dependencies which can causes run time errors."

• https://stackoverflow.com/a/61416785/1459653

I'm a novice and have not tried this and am NOT suggesting to do it, but the docs mention "Do a dry run to get an idea of what audit fix will do, and also output install information in JSON format:" npm audit fix --dry-run --json**

I wonder if there's an option to do a "dry run" on "force" (npm audit fix --force --dry-run --json), even though it's not mentioned?

[Kondamon]

It seems it will be not fixed in dicer: https://github.com/mscdex/dicer/pull/22 However, a fix is on going in multer https://github.com/expressjs/multer/pull/1097

[Kondamon]

Duplicate of #1512

[mgav]

Duplicate of #1512

FYI, that issue was opened Dec 4, 2021

[lahirumaramba]

Please see my reply to https://github.com/firebase/firebase-admin-node/issues/1718#issuecomment-1137874274 The Admin Node.js SDK uses dicer to parse multipart responses from Firebase APIs so the risk here is pretty minimal. However, I agree that it would be great to address this properly. We are currently looking into the available options.

I am going to close this issue as we will continue to track this in #1718. Thanks everyone.

[RoadAssist]

Is there any workaround available guys ?

[mgav]

Preamble: I am a novice and this is not advice on what you should do - I'm just relaying what I did and what the outcome was.

After deploying my Vuejs3 app a week ago to Firebase, I was prompted to upgrade to the newest version of Firebase Tools (11.0.1) via npm. After doing this, I began experiencing the problem detailed in my comment above.

Having no other solutions on the table, I decided to uninstall firebase tools (npm uninstall -g firebase-tools) and then reinstall the previous version (npm install -g firebase-tools@10.9.2).

BUT, after first time I did this, I ran npm audit fix (not npm audit fix --force) and all I got a ton of high severity warnings and problems.

So I decided to once again uninstall firebase tools (npm uninstall -g firebase-tools) and then reinstall the previous version (npm install -g firebase-tools@10.9.2) and that's it (did NOT run npm audit fix).

I proceeded to npm run build and firebase deploy --only hosting and it worked just fine. Definitely NOT a great or long-term solution. Good luck!