search

google / clasp

🔗 Command Line Apps Script Projects
https://developers.google.com/apps-script/guides/clasp
Apache License 2.0
4.52k stars 422 forks source link

Clasp fails at CASA Tier 2 scan due to a vulnerability in cacheable-request at version 7.0.2 #961

Open Frenchcooc opened 1 year ago

Frenchcooc commented 1 year ago

Expected Behavior

As part of Google's OAuth verification process, I had to self-scan my application for CASA Tier 2. It appeared that one of @google/clasp dependencies has a known vulnerability.

Here's an exceprt of my CASA scan:

CWE stream title description
937 skims 393. Use of software with known vulnerabilities in development Use of cacheable-request at version 7.0.2 with ['GHSA-8x6c-cv3v-vp6g'] in OWASP/codebase/addon-gsheets/addon/yarn.lock

If I take only a subset of my yarn.lock, the dependencies chain at fault is as follow:

"@google/clasp@^2.4.2":
  version "2.4.2"
  dependencies:
    ...
    is-reachable "^5.0.0"
    ...

is-reachable@^5.0.0:
  dependencies:
    ...
    got "^11.7.0"
    ...

got@^11.7.0:
  version "11.8.6"
  dependencies:
    ...
    cacheable-request "^7.0.2"
    ...

or more visually:

"@google/clasp@^2.4.2"
└── is-reachable "^5.0.0
    └── got@^11.7.0
        └── cacheable-request "^7.0.2"

And indeed, all version of cacheable-request before `10.2.7' are impacted by a vulnerability (GHSA-8x6c-cv3v-vp6g).

To be honest, I don't think this vulnerability could be exploited in clasp, but not fixing this would make all add-ons that rely on @google/clasp not compliant with Google's OAuth verification process.

Actual Behavior

I believe updating is-reachable to the latest version (5.2.1) will fix the issue.

Steps to Reproduce the Problem

  1. Install latest version of @google/clasp
  2. Look at your package-lock.json or yarn.lock
  3. The dependency cacheable-request is at version 7.0.2

Specifications

Frenchcooc commented 1 year ago

I'm happy to create a PR, but feels like running npm run audit by an official maintainer would speed up the process here:

$ npm audit fix 

added 4 packages, removed 64 packages, changed 24 packages, and audited 617 packages in 9s

122 packages are looking for funding
  run `npm fund` for details

# npm audit report

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
No fix available
node_modules/request
  coveralls  *
  Depends on vulnerable versions of request
  node_modules/coveralls

2 moderate severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

and among other thing is-reachable would be updated: 

  "node_modules/is-reachable": {
---      "version": "5.0.0",
---      "resolved": "https://registry.npmjs.org/is-reachable/-/is-reachable-5.0.0.tgz",
---      "integrity": "sha512-frRPbdrQWEqbnF1il9Dyrf52Q40exkHdo4/grWMjHrBn4G1DKC9sbuQihgANkJPNi2eosU4AXBsrITdXmc3IQg==",
+++      "version": "5.2.1",
+++      "resolved": "https://registry.npmjs.org/is-reachable/-/is-reachable-5.2.1.tgz",
+++      "integrity": "sha512-ViPrrlmt9FTTclYbz6mL/PFyF1TXSpJ9y/zw9QMVJxbhU/7DFkvk/5cTv7S0sXtqbJj32zZ+jKpNAjrYTUZBPQ==",
      "dependencies": {
        "arrify": "^2.0.1",
        "got": "^11.7.0",
        "is-port-reachable": "^3.0.0",
        "p-any": "^3.0.0",
        "p-timeout": "^3.2.0",
        "prepend-http": "^3.0.1",
        "router-ips": "^1.0.0",
---     "url-parse": "^1.4.7"
+++     "url-parse": "^1.5.10"
      },