Security Issues

[hubdotcom]

https://snyk.io/test/github/keystonejs/keystone

High severity (1) Medium severity (5) Low severity (5)

[maxkoryukov]

@hubdotcom is the link broken?

[mxstbr]

One can't directly link to test results with snyk apparently.

Go to https://snyk.io, click "Test" at the top and enter "keystonejs/keystone" to see the results! Here's the high and medium severity stuff copy & pasted:

---

Content & Code Injection (XSS)

High severity
Vulnerable module: marked
Introduced through: marked@0.3.5
Detailed paths and remediation

Introduced through: keystone@keystonejs/keystone › marked@0.3.5
Remediation: No remediation path available.

marked is a markdown parser and compiler used for rendering markdown content to html. It is vulnerable to content injection attack allowing the attacker to bypass its output sanitization (sanitize: true) protection. Using the HTML Coded Character Set, attackers can inject javascript: code snippets into the output. For example, the following input javascript֍ocument;alert(1) will result in alert(1) being executed when the user clicks on the link.

---

Denial of Service (Event Loop Blocking)

Medium severity
Vulnerable module: qs
Introduced through: azure@0.10.6

Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-storage@0.3.3 › request@2.27.0 › qs@0.6.6
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-keyvault@0.9.2 › azure-common@0.9.10 › request@2.27.0 › qs@0.6.6
Remediation: Run snyk wizard to patch @.

When parsing a string representing a deeply nested object, qs will block the event loop for long periods of time. Such a delay may hold up the server's resources, keeping it from processing other requests in the meantime, thus enabling a Denial-of-Service attack.

---

Denial of Service (Memory Exhaustion)

Medium severity
Vulnerable module: qs
Introduced through: azure@0.10.6

Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-storage@0.3.3 › request@2.27.0 › qs@0.6.6
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-keyvault@0.9.2 › azure-common@0.9.10 › request@2.27.0 › qs@0.6.6
Remediation: Run snyk wizard to patch @.

During parsing, the qs module may create a sparse area (an array where not elements are filled), and grow that array to the necessary size based on the indices used on it. An attacker can specify a high index value in a query string, thus making the server allocate a respectively big array. Truly large values can cause the server to run out of memory and cause it to crash - thus enabling a Denial-of-Service attack.

---

Improper minification of non-boolean comparisons

Medium severity
Vulnerable module: uglify-js
Introduced through: jade@1.11.0

Introduced through: keystone@keystonejs/keystone › jade@1.11.0 › transformers@2.1.0 › uglify-js@2.2.5
Remediation: Run snyk wizard to patch @.

Tom MacWright discovered that UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification. This bug was demonstrated by Yan to allow potentially malicious code to be hidden within secure code, activated by minification.

Source: Node Security Project

---

Regular Expression Denial of Service

Medium severity
Vulnerable module: validator
Introduced through: azure@0.10.6

Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-common@0.9.13, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-compute@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-asm-compute@0.10.1, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-hdinsight@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-asm-hdinsight@0.10.2, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-mgmt@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-asm-mgmt@0.10.1, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-monitoring@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-monitoring@0.10.1, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-network@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-asm-network@0.10.1, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-scheduler@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-scheduler@0.10.1, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-scheduler@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-asm-scheduler@0.10.1, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-sb@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-sb@0.10.1, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-sb@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-asm-sb@0.10.1, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-sql@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-asm-sql@0.10.1, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-store@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-asm-store@0.10.1, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-storage@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-asm-storage@0.10.1, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-subscription@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-asm-subscription@0.10.1, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-trafficmanager@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-asm-trafficmanager@0.10.2, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-website@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-asm-website@0.10.1, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-arm-authorization@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-arm-authorization@0.10.1, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-arm-compute@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-arm-compute@0.10.1, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-arm-dns@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-arm-dns@0.10.1, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-gallery@2.0.0-pre.16 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-common@0.9.13, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-arm-insights@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-arm-insights@0.10.1, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-arm-keyvault@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-arm-keyvault@0.10.1, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-arm-network@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-arm-network@0.10.1, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-arm-resource@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-arm-resource@0.10.1, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-arm-storage@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-arm-storage@0.10.1, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-arm-website@0.10.0 › azure-common@0.9.12 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-arm-website@0.10.1, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-keyvault@0.9.2 › azure-common@0.9.10 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-keyvault@0.9.3, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-storage@0.3.3 › validator@3.1.0
Remediation: No direct dependency upgrade can address this issue. If possible, manually upgrade to azure-storage@0.4.4, or run snyk monitor to get notified when an easier upgrade or a patch becomes available.

The validator module, versions < 3.22.1 are vulnerable to Regular Expression Denial of Service (ReDoS).

Source: Node Security Project

---

Remote Memory Exposure

Medium severity
Vulnerable module: request
Introduced through: azure@0.10.6

Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-compute@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-hdinsight@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-mgmt@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-monitoring@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-network@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-scheduler@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-scheduler@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-sb@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-sb@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-sql@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-store@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-storage@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-subscription@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-trafficmanager@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-asm-website@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-arm-authorization@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-arm-compute@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-arm-dns@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-gallery@2.0.0-pre.16 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-arm-insights@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-arm-keyvault@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-arm-network@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-arm-resource@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-arm-storage@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-arm-website@0.10.0 › azure-common@0.9.12 › request@2.45.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-storage@0.3.3 › request@2.27.0
Remediation: Run snyk wizard to patch @.
Introduced through: keystone@keystonejs/keystone › azure@0.10.6 › azure-keyvault@0.9.2 › azure-common@0.9.10 › request@2.27.0
Remediation: Run snyk wizard to patch @.

A potential remote memory exposure vulnerability exists in request. If a request uses a multipart attachment and the body type option is number with value X, then X bytes of uninitialized memory will be sent in the body of the request.

Note that while the impact of this vulnerability is high (memory exposure), exploiting it is likely difficult, as the attacker needs to somehow control the body type of the request. One potential exploit scenario is when a request is composed based on JSON input, including the body type, allowing a malicious JSON to trigger the memory leak.

[hubdotcom]

Thanks @mxstbr

[VinayaSathyanarayana]

Any updates on this?

[r1b]

Almost all of these are in @Azure, which keystone has at latest. It would make sense to raise those upstream.

[VinayaSathyanarayana]

So installations that are not using Azure Services would not be impacted. Is there a way to not use/turn off Azure

[JedWatson]

@VinayaSathyanarayana we're working to separate the file field dependencies out of Keystone itself into optional external packages - this should be done by the time 0.4 is launched properly

[molomby]

I'll re-run these tests and investigate when I'm done with #4437

[vonEdfa]

Is this still present?

[sandeepl337]

I suppose, all the issues was fixed.

On Wed 25 Jul, 2018, 3:54 PM vonEdfa, notifications@github.com wrote:

Is this still present?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/keystonejs/keystone/issues/2936#issuecomment-407708385, or mute the thread https://github.com/notifications/unsubscribe-auth/ABQA_uKagSfx7jtUuAQh_1BRG7AcKG0Dks5uKEdRgaJpZM4Ilsti .

[autoboxer]

I believe the list has changed, but there are still 1 high and 4 medium severity issues found by snyk. Posting this for visibility.