search

khrome / ascii-art

A Node.js library for ansi codes, figlet fonts, ascii art and other ASCII graphics
MIT License
681 stars 287 forks source link

Security updates in deps #32

Open optiguy opened 8 months ago

optiguy commented 8 months ago

ascii-art@2.8.5 has a couple of dependency updates, that should be updated due to a high risk, due to the version of d3-color and cli for this package. This is the result of running an audit on the package.

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ d3-color vulnerable to ReDoS                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ d3-color                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <3.1.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=3.1.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > ascii-art@2.8.5 > ascii-art-graph@0.5.0 >          │
│                     │ d3@5.16.0 > d3-brush@1.1.6 > d3-interpolate@1.4.0 >    │
│                     │ d3-color@1.4.1                                         │
│                     │                                                        │
│                     │ . > ascii-art@2.8.5 > ascii-art-graph@0.5.0 >          │
│                     │ d3@5.16.0 > d3-brush@1.1.6 > d3-transition@1.3.2 >     │
│                     │ d3-color@1.4.1                                         │
│                     │                                                        │
│                     │ . > ascii-art@2.8.5 > ascii-art-graph@0.5.0 >          │
│                     │ d3@5.16.0 > d3-brush@1.1.6 > d3-transition@1.3.2 >     │
│                     │ d3-interpolate@1.4.0 > d3-color@1.4.1                  │
│                     │                                                        │
│                     │ ... Found 13 paths, run `pnpm why d3-color` for more   │
│                     │ information                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-36jr-mh4h-2g58      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ Arbitrary File Write in cli                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ cli                                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <1.0.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=1.0.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > ascii-art@2.8.5 > ascii-art-ansi@1.4.1 >           │
│                     │ color-difference@0.3.4 > cli@0.4.5                     │
│                     │                                                        │
│                     │ . > ascii-art@2.8.5 > ascii-art-graph@0.5.0 >          │
│                     │ ascii-art-ansi@1.4.1 > color-difference@0.3.4 >        │
│                     │ cli@0.4.5                                              │
│                     │                                                        │
│                     │ . > ascii-art@2.8.5 > ascii-art-image@1.4.0 >          │
│                     │ ascii-art-ansi@1.4.1 > color-difference@0.3.4 >        │
│                     │ cli@0.4.5                                              │
│                     │                                                        │
│                     │ ... Found 5 paths, run `pnpm why cli` for more         │
│                     │ information                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-6cpc-mj5c-m9rq      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ Node CLI Allows Arbitrary File Overwrite               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ cli                                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=0.1.0 <=0.11.3                                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=1.0.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > ascii-art@2.8.5 > ascii-art-ansi@1.4.1 >           │
│                     │ color-difference@0.3.4 > cli@0.4.5                     │
│                     │                                                        │
│                     │ . > ascii-art@2.8.5 > ascii-art-graph@0.5.0 >          │
│                     │ ascii-art-ansi@1.4.1 > color-difference@0.3.4 >        │
│                     │ cli@0.4.5                                              │
│                     │                                                        │
│                     │ . > ascii-art@2.8.5 > ascii-art-image@1.4.0 >          │
│                     │ ascii-art-ansi@1.4.1 > color-difference@0.3.4 >        │
│                     │ cli@0.4.5                                              │
│                     │                                                        │
│                     │ ... Found 5 paths, run `pnpm why cli` for more         │
│                     │ information                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-3mrp-qhcj-mwv5      │
└─────────────────────┴────────────────────────────────────────────────────────┘
khrome commented 8 months ago

Thanks for your report, these will be upgraded or removed in the coming 3.0 release.

Regarding the specifics of the report though: ascii art only uses d3-color in the d3 mode and uses a specific set of descriptions for color (RGB, hex or named values), so any vulnerability would come from generating unsanitized inputs in code (on a server). AKA allowing a user to upload source code and then processing that, since all non ANSI color handling is programmatic, which is, itself, highly questionable. I recommend not trying that in the first place, but will be updating to a version not vulnerable to ReDOS.

color-difference is on target to be removed (an inactive dep which is the culprit for the cli dep, even though that dep is not in the code path of anything executing in this lib).

Thanks again for the report, I'll leave it open until 3.0 drops.