search

hyperledger / fabric-sdk-node

Hyperledger Fabric SDK for Node https://wiki.hyperledger.org/display/fabric
https://hyperledger.github.io/fabric-sdk-node/
Apache License 2.0
792 stars 518 forks source link

Fabric-client package 2 critical vulnerabilties (v1.4) #508

Closed blockguardian closed 2 years ago

blockguardian commented 2 years ago

How to reproduce: Switch to branch "release-1.4" and then run npm audit 

 === npm audit security report === 
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ RSA signature validation vulnerability                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ jsrsasign                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jsrsasign                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jsrsasign                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1672                      │
└───────────────┴──────────────────────────────────────────────────────────────┘

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ jsrsasign                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=10.2.0                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ afc2d2ca8c9b81ce3c9042b6b679b071e21bd68e9fc9d5954e4a8fd6fba… │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ afc2d2ca8c9b81ce3c9042b6b679b071e21bd68e9fc9d5954e4a8fd6fba… │
│               │ > jsrsasign                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1672                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
bestbeforetoday commented 2 years ago

The is the same issue reported in #500, although I appreciate this is specifically calling out the issue in the v1.4 release.

As mentioned in the other issue, this vulnerability relates to RSA signature validation, and the Node SDK does not deal with RSA signatures so this should not impact the Node SDK. Additionally, the v1.4 release is not beyond its support window. See the LTS release strategy: https://hyperledger.github.io/fabric-rfcs/text/0005-lts-release-strategy.html

If a fix for #500 can be easily cherry-picked back to the release-1.4 branch, we can back-port that fix once it's ready. If it requires a significant amount of rework, that may not be practical and it would be up to community contribution to deliver any fix to v1.4.

blockguardian commented 2 years ago

@bestbeforetoday I'm working on it. Can you please assign it to me?

blockguardian commented 2 years ago

@bestbeforetoday we had given a PR for main branch for this issue and that was merged but the changes for v1.4 will be different.

Here we have observed that both package.json and package-lock.json files are present in the code but in main branch we have just package.json. Is there any specific reason why are we maintaining in 1.4 but not in main?

Also we are facing difficulty in manually updating the package jsrsasign. is there any procedure which we need to follow while updating the package in v1.4?

bestbeforetoday commented 2 years ago

The package-lock.json files were removed in later branches when we began to see issues running builds with multiple different Node versions using the same (checked in) package lock files. If it helps to get changes delivered, I would be happy for you to remove the package lock files in the release-1.4 branch too, and then prevent them from being accidentally re-added using .gitignore entries.

I don't recall anything special that needs to be done to update the jsrsasign dependency. It should just be a case of updating the appropriate package.json files. But you might need to delete your local package-lock.json and perhaps also node_modules directories before re-running npm install to be really sure any previous dependency versions are not left hanging around.

blockguardian commented 2 years ago

Thanks @bestbeforetoday . We'll try this and proceed accordingly.