search

foreversd / forever

A simple CLI tool for ensuring that a given script runs continuously (i.e. forever)
http://github.com/foreverjs/forever
MIT License
13.87k stars 946 forks source link

Security vulnerabilities reported by nsp and snyk #960

Open rahul-desai3 opened 7 years ago

rahul-desai3 commented 7 years ago

I have been using the NPM modules nsp and snyk to test the node modules in my project for security vulnerabilities.

Reported by nsp:

$ nsp check --output json
[
  {
    "id": 533,
    "updated_at": "2017-09-25T19:11:21.203Z",
    "created_at": "2017-09-21T20:44:30.777Z",
    "publish_date": "2017-09-25T19:11:21.202Z",
    "overview": "The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.",
    "recommendation": null,
    "cvss_vector": null,
    "cvss_score": null,
    "module": "timespan",
    "version": "2.3.0",
    "vulnerable_versions": "<=99.999.99999",
    "patched_versions": "<0.0.0",
    "title": "Regular Expression Denial of Service",
    "path": [
      "edm@1.0.0",
      "forever@0.15.3",
      "timespan@2.3.0"
    ],
    "advisory": "https://nodesecurity.io/advisories/533"
  }
]

Reported by snyk:

$ snyk test
✗ Low severity vulnerability found on debug@2.6.8
- desc: Regular Expression Denial of Service (ReDoS)
- info: https://snyk.io/vuln/npm:debug:20170905
- from: edm@1.0.0 > forever@0.15.3 > forever-monitor@1.7.1 > chokidar@1.7.0 > fsevents@1.1.2 > node-pre-gyp@0.6.36 > tar-pack@3.4.0 > debug@2.6.8
Your dependencies are out of date, otherwise you would be using a newer debug than debug@2.6.8.
Try deleting node_modules, reinstalling and running `snyk test` again.
If the problem persists, one of your dependencies may be bundling outdated modules.

✗ High severity vulnerability found on timespan@2.3.0
- desc: Regular Expression Denial of Service (ReDoS)
- info: https://snyk.io/vuln/npm:timespan:20170907
- from: edm@1.0.0 > forever@0.15.3 > timespan@2.3.0
Fix: None available. Consider removing this dependency.

✗ Medium severity vulnerability found on tough-cookie@2.3.2
- desc: Regular Expression Denial of Service (ReDoS)
- info: https://snyk.io/vuln/npm:tough-cookie:20170905
- from: edm@1.0.0 > forever@0.15.3 > forever-monitor@1.7.1 > chokidar@1.7.0 > fsevents@1.1.2 > node-pre-gyp@0.6.36 > request@2.81.0 > tough-cookie@2.3.2
Your dependencies are out of date, otherwise you would be using a newer tough-cookie than tough-cookie@2.3.2.
Try deleting node_modules, reinstalling and running `snyk test` again.
If the problem persists, one of your dependencies may be bundling outdated modules.

Tested 365 dependencies for known vulnerabilities, found 3 vulnerabilities, 3 vulnerable paths.
bennycode commented 7 years ago

I also received a warning today by "nsp" about "forever": https://nodesecurity.io/advisories/533

dman777 commented 6 years ago

If forever does not listen on ports, is this really a threat/issue?

rahul-desai3 commented 5 years ago

I still see these in my test results. Any update yet?