Open alhugot opened 6 years ago
Unfortunately, bumping static-module
to the unvulnerable 2.x
series won't be trivial.
Changes from PRs https://github.com/substack/static-eval/pull/18 and https://github.com/browserify/static-module/pull/38 appear to be incompatible with cwise
.
From my findings, static-module
fails (i.e. does not transform cwise({args: [], body: () => {}})
expressions) whenever body()
mutates one if its input arguments.
For example, with
// cmd.js
var fs = require('fs')
var sm = require('./lib/cwise-transform')()
process.stdin.pipe(sm).pipe(process.stdout)
// works.js
var cwise = require('cwise')
var f = cwise({
args: ["array"],
body: function() {
return 'yo'
},
})
// fails.js
var cwise = require('cwise')
var f = cwise({
args: ["array"],
body: function(a) {
++a
},
})
then, node cmd.js < works.js
works just fine (but doesn't do anything :smirk: ), and node cmd.js < fails.js
outputs:
var f = cwise({
args: ["array"],
body: function(a) {
++a
}
})
that is, it correctly removes the require
statement, but ignores the cwise
call.
Thanks for looking at it. I tried to update the dependency but the tests are failing (I am on windows and not familiar with these libs). But I am able to run the examples which are in the example dir.
+1
@alhugot I believe your patch in https://github.com/alhugot/cwise/commit/39b4ad8a1c67d94903bdc139e59bc764e59bad6f defeats the purpose of browserify suite where cwise is used as a transform.
To double-check, would you mind comparing the output of browserify -t cwise test/fill.js
using old and new static-module
versions?
@etpinard I am sorry I don't know much about browserify. Do you mean changing
var cwise = require("cwise")
tovar cwise = require("../cwise")
in the unit test?
ok I see, I have look at https://github.com/scijs/ndarray-fill module which use cwise and indeed the transform is wrong, as in your example. Sorry a bit slow on this one.
. Sorry a bit slow on this one.
No worries. Thanks for the help!
+1
@etpinard browserify -t cwise test/fill.js
outputs are the same with static-module@2.2.5
@hakandilek thanks for the headsup, but npm test
fails for me with static-module@2.2.5
.
What's the reason? Check out my linked pull request. I've integrated Travis ci also for the actual nodejs versions.
On Wed, 30 May 2018, 17:44 Étienne Tétreault-Pinard, < notifications@github.com> wrote:
@hakandilek https://github.com/hakandilek thanks for the headsup, but npm test fails for me with static-module@2.2.5.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/scijs/cwise/issues/19#issuecomment-393211941, or mute the thread https://github.com/notifications/unsubscribe-auth/ABBdWf3KaUh7_bwyNR-hvHwpcEnxsTS3ks5t3r5jgaJpZM4SMRVS .
Check out my linked pull request.
Ha. Sorry I missed that. Thanks for the PR.
any update on this issue ?
potential security vulnerability +1
Hello! Is there any update on this one...Is this https://github.com/scijs/cwise/pull/21 successfully merged?
Thank you!
Hi, this is perhaps not the place to report it, please feel free to close the issue, but the version of static-module specified in the package.json is affected by this security vulnerability: https://nodesecurity.io/advisories/548 cwise@1.0.10 > static-module@1.5.0 > static-eval@0.2.4
I have tried to update static-module to version ^2.0.0 which fixes the issue: https://github.com/browserify/static-module/issues/34
...but the tests are failing. I do no know this code enough to fix it, any help is welcome.
This is part of making plotly.js pass security tests: https://github.com/plotly/plotly.js/issues/2386
Would also be good to have a security badge with: snyk: https://github.com/snyk/snyk#badge or nsp: see https://github.com/dwyl/repo-badges Thx Alex