Used node-forge has a security vulnerability

postalsys / mailauth

Command line utility and a Node.js library for email authentication

Other

127 stars 10 forks source link

Used node-forge has a security vulnerability #12

Closed augjoh closed 2 years ago

augjoh commented 2 years ago

Describe the bug

The used node-forge package has a security vulnerability. While the code in question may not be triggered by mailauth, the vulnerable module breaks out CI/CD process. Please upgrade node-forge:

$ npm audit --production
# npm audit report
node-forge  <1.3.0
Severity: moderate
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
No fix available
node_modules/mailauth/node_modules/node-forge
  mailauth  *
  Depends on vulnerable versions of node-forge
  node_modules/mailauth
2 moderate severity vulnerabilities
Some issues need review, and may require choosing
a different dependency.

What are your problems replacing node-forge with webcrypto completely?

andris9 commented 2 years ago

node-forge is a fallback mechanism for older Node.js versions that do not support the modulusLength key object property. So whatever vulnerability node-forge might have, it is not relevant with mailauth at all, as node-forge is only used to calculate modulus length for public keys in Node.js versions older than 15.7.0. Once there is something changed in mailauth itself I'll also upgrade all the dependencies. It's too bothersome to run the build pipeline (mailauth release includes a signed cli executable etc) just to upgrade one dependency that changes nothing.

augjoh commented 2 years ago

@andris9: Thanks for looking into this issue. Please let me emphasize, that this issue is a pain-in-the-arm for us. Our continuous integration (CI) has a step where npm audit is called. This automation cannot determine, if the reported security vulnerability can be triggered or not. It simply fails. This breaks our development process, and each CI pipeline has to be inspected manually, if a failure is the non-critical mailautth or a new security vulnerability. Our scheduled builds fail because of this issue. So this is really bothersome for us.

Please have another look here. Perhaps it is possible to release the library more often than the signed cli executable or release the binary in a different (automated) way.

augjoh commented 1 year ago

@andris9 With v3.0.0 (https://github.com/postalsys/mailauth/commit/d00d2922a26b768dafad38509abb18762452b4a4) you've dropped support for node 14. Could you remove the node-forge dependency now?

andris9 commented 1 year ago

Removed node-forge