Decompress security warning means gatsby-plugin-sharp and gatsby-source-contentful fail audit

galvogalvo commented 4 years ago

There is an NPM high severity warning for kevva/decompress which means yarn audit fails when using gatsby-plugin-sharp and gatsby-source-contentful plugins.

See: https://www.npmjs.com/advisories/1217 Issue here: https://github.com/kevva/decompress/issues/71

pieh commented 4 years ago

Thanks for the notice!

Unfortunately there is not much we can do in gatsby directly to address it yet as decompress is dependency of dependency type scenario:

gatsby-plugin-sharp#imagemin-mozjpeg#mozjpeg#bin-build#decompress
gatsby-plugin-sharp#imagemin-mozjpeg#mozjpeg#bin-build#download#decompress
gatsby-plugin-sharp#imagemin-mozjpeg#mozjpeg#bin-wrapper#download#decompress

There is open pull request in decompress repository to address the vulnerability: https://github.com/kevva/decompress/pull/73

So please watch that pull request, once this is handled there and published, then it will be matter of updating this package in your lock files as bin-build package already allow range version in dependencies: ("decompress": "^4.0.0" - via https://unpkg.com/browse/bin-build@3.0.0/package.json)

jimmyandrade commented 4 years ago

Also encountering this issue:

                       === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-mozjpeg > mozjpeg > bin-build │
│               │ > decompress                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-pngquant > pngquant-bin >     │
│               │ bin-build > decompress                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-webp > cwebp-bin > bin-build  │
│               │ > decompress                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-mozjpeg > mozjpeg > bin-build │
│               │ > download > decompress                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-pngquant > pngquant-bin >     │
│               │ bin-build > download > decompress                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-webp > cwebp-bin > bin-build  │
│               │ > download > decompress                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-mozjpeg > mozjpeg >           │
│               │ bin-wrapper > download > decompress                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-pngquant > pngquant-bin >     │
│               │ bin-wrapper > download > decompress                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-webp > cwebp-bin >            │
│               │ bin-wrapper > download > decompress                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ netlify-cli                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ netlify-cli > gh-release-fetch > download > decompress       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

ghost commented 4 years ago

Yeah, I'm receiving the Arbitrary File Write vulnerability in my npm audit as well. Is there a patch scheduled for that separately, or is related to the path traversal mentioned earlier in this bug thread?

sr1ch1 commented 4 years ago

The path traversal fix is for the decompress-tar package which is used by decompress and it is the cause of this issue. After fixing the decompress-tar, the decompress package should be updated to use the fixed decompress-tar package. That would solve issue. I do not know when a patch will be scheduled. I made the PR to speed things up.

joshcummingsdesign commented 4 years ago

@pieh That project looks abandoned. Is there another package that can be used in its place? Also, is gatsby-plugin-sharp a devDependency since it's only used in the build, or should I be worried about my production site having this vulnerability?

jordanlesich commented 4 years ago

@vladar Sorry, this is mostly for my own understanding, but how is this related to the error that I had? I hadn't installed either of these plugins.

pieh commented 4 years ago

@pieh That project looks abandoned. Is there another package that can be used in its place?

Possibly. All of those affected deps of deps are for minimizing images.

Also, is gatsby-plugin-sharp a devDependency since it's only used in the build, or should I be worried about my production site having this vulnerability?

gatsby-plugin-sharp is not included in result bundles, but images it produce, are.

The decompress there is used to decompress image processing archives, etc and later on compile them to binaries. It doesn't accept arbitrary payload - only what imagemin-x package have hardcoded, that it's needed to build. In other words - decompress vulnerability doesn't impact it (if those imagemin-x package accept arbitrary input for binaries, then it could be affected).

Btw. Those audit advisories provide lot of worry, but you do have to inspect them and affected packages to see if you are really affected or not. And there is lot of nuance in those matter that those advisories do not explain

mikhail-shishov commented 4 years ago

So what should we do as Gatsby users? I'm kinda worried about this vulnerability.

jordanlesich commented 4 years ago

I was able to workaround this by installing WSL (Windows Subsystem Linux) and Ubuntu on a freshly formatted hard drive (i'm not sure if this was necessary; it might work by just removing existing node modules). I then installed nvm by cURL. I'm guessing that by installing npm through linux I was able to avoid the problems with decompress.

TBH, I don't really know why this worked for me, but I am now running gatsby-source-filesystem without reciveing the security warnings. It also doesn't crash my project when I run Gatsby develop, which is a big plus. I'll post back if anything changes.

olegchursin commented 4 years ago

It is really hard to sell Gatsby to the rest of the dev team with this npm audit warnings.

danielmgzzg commented 4 years ago

this error is now happening in all our gatsby projects, has anyone found a workaround yet?

pieh commented 4 years ago

We are waiting for few more days for response of decompress maintainers and if there won't be any, we will likely fork imagemin-x packages and replace usage of decompress there

jimmyandrade commented 4 years ago

@pieh thanks for the answer. An issue reporting this was created by @medikoo two weeks ago in https://github.com/kevva/download/issues/189 and another by @simotae14 in https://github.com/kevva/decompress/issues/76, and we've had no response from maintainers so far.

The last commit on decompress repo was on Aug 22, 2017 (https://github.com/kevva/decompress/commit/74a462a139cc2561b6695e696266c8dc31562d3d) and, unless they choose to open repo access for more ones, my bet is that we will not have any news.

So, how long do you think we could wait longer for an answer to replace usage of decompress?

danielmgzzg commented 4 years ago

kind petition to replace usage of decompress Who's with me?

jimmyandrade commented 4 years ago

There is a joint effort by the community to address this vulnerability directly in decompress (see https://github.com/kevva/decompress/pull/73) and related repositories. I believe they are waiting for a timely response from the maintainers to make the decision to fork the project 😄

byebyers commented 4 years ago

Want to see if there are any updates on this?

jimmyandrade commented 4 years ago

@byebyers I was taking a look to https://github.com/kevva/decompress/pull/73 and noticed that the repo maintainer has not yet responded on the pull request 😢

byebyers commented 4 years ago

Thank you for checking 😄

mrpickles3rd commented 4 years ago

I have just gone though all the forks and one is getting updated with security patches. Atomic-Reactor/decompress. It may be worth having a quick look.

preshetin commented 4 years ago

The latest version of decompress should resolve this issue. The NPM advisory has been updated as well: https://www.npmjs.com/advisories/1217

I'll try to create the PR (it will be my first one here)

preshetin commented 4 years ago

I think now, however, that this dependency would be updated automatically. So no need to make it manually

pieh commented 4 years ago

I think now, however, that this dependency would be updated automatically. So no need to make it manually

Lock files might pin decompress version so you might need to update those in your projects:

npm: You can use npm audit fix which should take care of it automatically. Alternatively you can run npm audit again, and it should provide you with commands like npm update decompress --depth 8 (but depth might vary depending on your setup (i.e. do you use gatsby-plugin-sharp directly or use plugins/themes that use under the hood)
yarn: yarn doesn't really have nice option to bump indirect/transitive dependencies ( https://github.com/yarnpkg/yarn/issues/4986 ), but you can do something like yarn remove gatsby-plugin-sharp && yarn add gatsby-plugin-sharp (again you might need to remove and re-add more packages if those depend on gatsby-plugin-sharp). You might also try just deleting yarn.lock and yarn install to regenerate it (just keep it mind it will unpin any other unrelated deps and it might cause weird problems, so if you do this, make sure you do some manual Q/A if everything works as expected on your site if you don't have some automated testing)

I will be updating starters that we maintain today, so gatsby new (when using one of those) will just start with this taken care of.

gatsbyjs / gatsby

Decompress security warning means gatsby-plugin-sharp and gatsby-source-contentful fail audit #21791