Security Vulnerabilities in node-gyp

[railsmith]

The security team in our organization have found the below vulnerabilities in the node-gyp module. Is there a newer version of the module which fixes the below vulnerabilities?

Vulnerability 1

Path Manipulation - "Path manipulation errors occur when the following two conditions are met:

1. An attacker can specify a path used in an operation on the file system.

2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted.

For example, the program might give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker.

Example 1: The following code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as ""../../tomcat/conf/server.xml"", which causes the application to delete one of its own configuration files.

rName = req.field('reportName') rFile = os.open(""/usr/local/apfr/reports/"" + rName) ... os.unlink(rFile);

Example 2: The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with adequate privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension .txt. ... filename = CONFIG_TXT['sub'] + "".txt""; handle = os.open(filename) print handle ..."

Source file path - node-gyp/gyp/pylib/gyp/mac_tool.py

Vulnerability 2

Weak Cryptographic Hash - "MD2, MD4, MD5, RIPEMD-160, and SHA-1 are popular cryptographic hash algorithms often used to verify the integrity of messages and other data. However, as recent cryptanalysis research has revealed fundamental weaknesses in these algorithms, they should no longer be used within security-critical contexts.

Effective techniques for breaking MD and RIPEMD hashes are widely available, so those algorithms should not be relied upon for security. In the case of SHA-1, current techniques still require a significant amount of computational power and are more difficult to implement. However, attackers have found the Achilles' heel for the algorithm, and techniques for breaking it will likely lead to the discovery of even faster attacks."

Source file path - node-gyp/gyp/pylib/gyp/MSVSNew.py

[cclauss]

The team must be looking at old source code.

Example 2 shows Python 2 code which node-gyp has not supported for many years. In that three lines of code:

• The first line contains a Python syntax error in both Py2 and Py3.
• The second line will raise a TypeError exception.
• The third line contains a Python syntax error in all currently supported versions of Python.

https://github.com/nodejs/node-gyp/blob/main/gyp/pylib/gyp/mac_tool.py does not contain the text:

• CONFIG_TXT
• .txt
• handle
• open(filename)

On "Vulnerability 2" the MakeGuid() is using hashlib.md5() merely to build a globally unique identifier. This is not a cryptographic use of a hash.

https://github.com/nodejs/node-gyp/blob/53c99ae573bd5a5435e843b7de6b2e684f4de4d3/gyp/pylib/gyp/MSVSNew.py#L32

https://github.com/nodejs/node-gyp/blob/53c99ae573bd5a5435e843b7de6b2e684f4de4d3/gyp/pylib/gyp/MSVSNew.py#L48

[railsmith]

@cclauss The example code shown is from the HP Fortify tool and not from the node-gyp module. The actual lines of code they are concerned are as follows. We are using Angular in our project and we do not need node-gyp in our project but unfortunately I figured out that angular-cli depends on node-gyp (angular-cli > pacote > npm-cli > node-gyp). Is there a clean way to remove node-gyp from the node_modules folder using npm or yarn? or Should I replace angular-cli with webpack?

Source FileName Source Line mac_tool.py 606 mac_tool.py 488 MSVSUserFile.py 34 pretty_vcproj.py 123 mac_tool.py 659 xcodeproj_file.py 433 MSVSNew.py 48 make.py 1995 ninja.py 2814 ninja.py 815 MSVSNew.py 20 gyp_main.py 41