search

mwilliamson / mammoth.js

Convert Word documents (.docx files) to HTML
BSD 2-Clause "Simplified" License
4.9k stars 532 forks source link

JSZip vulnerability 3.7.1 #409

Open Alex-Hay opened 2 months ago

Alex-Hay commented 2 months ago

Hi there,

Would it be possible to update the JSZip dependancy to v3.8.0 or later to avoid the CVE-2022-48285 vulnerability?

Thanks, Alex

mwilliamson commented 2 months ago

I could be mistaken, but from a first glance, I don't think mammoth.js is affected by the vulnerability since it doesn't extract the files in a ZIP onto disk, or otherwise use the paths as anything other than keys into the ZIP file.

Also, since the version range is ^3.7.1, I believe 3.8.0 or later would satisfy that dependency i.e. you should be able to update JSZip with the current version of mammoth.js.

There is a bundled version of mammoth.js for the browser that includes a specific version of JSZip, but since that's intended for use in the browser, I don't think that potential vulnerability is an issue since you can't access files on disk from the browser anyway (and again, I don't think mammoth.js uses JSZip in that way).

None of which is to say that I'm against updating JSZip to be on the safe side, but (assuming the above is correct!) I don't think it's urgent?

rmc47 commented 1 month ago

Hi Mike - hope you're well! Sorry, this was my fault...

I agree with your statement that Mammoth isn't directly affected by this vuln - unfortunately, the presence of the JSZip lib is enough to trip up vulnerability scanners which report the presence of the vulnerable library (without the additional context to know whether it's used in a way that allows the vulnerability to be exploited).

If it's a trivial update to take, it'd be lovely to clean up the noise, but agree it's not urgent.

mwilliamson commented 1 month ago

Hello Rob! No need to apologise, it's an entirely reasonable request. Given mammoth.js depends on a version range of JSZip that should hopefully include versions not affected by the vulnerability, I think you can upgrade JSZip without needing any changes in mammoth.js? Or is the issue the vulnerability is being detected in the bundled browser build?

Alex-Hay commented 1 month ago

Hi Mike,

Just chiming in on this, apologies I should have been clearer in my initial comment – we are currently using the Mammoth WordPress plugin. If it would be possible to update the bundled JSZip version in the Mammoth Wordpress plugin that would be really helpful!

mwilliamson commented 1 month ago

Ah, I see! Unfortunately, updating the WordPress plugin is a bit more of a pain, although there are some changes from the most recent versions of mammoth.js that should probably go in at some point anyway.