search

neo4j / graphql

A GraphQL to Cypher query execution layer for Neo4j and JavaScript GraphQL implementations.
https://neo4j.com/docs/graphql-manual/current/
Apache License 2.0
504 stars 149 forks source link

Please release a new version of graphql-plugin-auth to resolve jsonwebtoken vuln #2686

Closed dennisjlee closed 1 year ago

dennisjlee commented 1 year ago

Describe the bug npm audit reports a set of security issues with jsonwebtoken (a dependency of @neo4j/graphql-plugin-auth) that can't currently be resolved.

The fix for this has already landed in #2622 but just needs to be released. I noticed that other Neo4j graphql packages were released earlier today without including this plugin.

To Reproduce Install @neo4j/graphql-plugin-auth and then run npm audit

Expected behavior No security issues related to this package.

Screenshots

jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
No fix available
node_modules/jsonwebtoken
  @neo4j/graphql-plugin-auth  *
  Depends on vulnerable versions of jsonwebtoken
  node_modules/@neo4j/graphql-plugin-auth
neo4j-team-graphql commented 1 year ago

Many thanks for raising this bug report @dennisjlee. :bug: We will now attempt to reproduce the bug based on the steps you have provided.

Please ensure that you've provided the necessary information for a minimal reproduction, including but not limited to:

If you have a support agreement with Neo4j, please link this GitHub issue to a new or existing Zendesk ticket.

Thanks again! :pray:

neo4j-team-graphql commented 1 year ago

Many thanks for raising this bug report @dennisjlee. :bug: We will now attempt to reproduce the bug based on the steps you have provided.

Please ensure that you've provided the necessary information for a minimal reproduction, including but not limited to:

If you have a support agreement with Neo4j, please link this GitHub issue to a new or existing Zendesk ticket.

Thanks again! :pray:

dennisjlee commented 1 year ago

I should point out that I am not a crypto expert by any means, so I'm not sure if the breaking upgrade to jsonwebtoken 9.0.0 might have any negative impact on usage of the graphql-plugin-auth library!

neo4j-team-graphql commented 1 year ago

We've been able to confirm this bug using the steps to reproduce that you provided - many thanks @dennisjlee! :pray: We will now prioritise the bug and address it appropriately.

neo4j-team-graphql commented 1 year ago

This bug report has been assigned high priority to fix. If you wish to contribute a fix, please branch from master and submit your PR with the base set to master. Thanks!