search

sintaxi / surge

CLI for the surge.sh CDN
https://surge.sh
2.87k stars 136 forks source link

⚠please pin `colors` to `1.4.0` #469

Closed briantist closed 2 years ago

briantist commented 2 years ago

see: https://github.com/sintaxi/surge/issues/469#issuecomment-1008213809

Sometime within the last 24 hours from this post, it appears as though this package was somehow compromised. Running surge teardown from my CI, it spit out some very strange text (link to CI run):

https://gist.github.com/briantist/0b9422be100e6fba866e955be5d3da66

It's mostly the word testing masked with "zalgo" text.

I don't know what it was actually trying to do since it seems to have run out of memory in the github runner and crashed:

<--- Last few GCs --->
) [1528:0x4ebf890]    31964 ms: Mark-sweep (reduce) 2049.0 (2055.3) -> 2048.6 (2056.1) MB, 2550.2 / 0.0 ms  (+ 39.4 ms in 14 steps since start of marking, biggest step 7.2 ms, walltime since start of marking 2592 ms) (average mu = 0.092, current mu = 0.001)[1528:0x4ebf890]    34565 ms: Mark-sweep (reduce) 2049.6 (2053.1) -> 2049.2 (2054.6) MB, 2550.5 / 0.0 ms  (+ 47.9 ms in 14 steps since start of marking, biggest step 6.8 ms, walltime since start of marking 2601 ms) (average mu = 0.048, current mu = 0.001)

<--- JS stacktrace --->

FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory
 1: 0xa389b0 node::Abort() [node]
 2: 0x96e0af node::FatalError(char const*, char const*) [node]
 3: 0xbb7a4e v8::Utils::ReportOOMFailure(v8::internal::Isolate*, char const*, bool) [node]
 4: 0xbb7dc7 v8::internal::V8::FatalProcessOutOfMemory(v8::internal::Isolate*, char const*, bool) [node]
 5: 0xd73fd5  [node]
 6: 0xd74b5f  [node]
 7: 0xd8299b v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) [node]
 8: 0xd8655c v8::internal::Heap::AllocateRawWithRetryOrFailSlowPath(int, v8::internal::AllocationType, v8::internal::AllocationOrigin, v8::internal::AllocationAlignment) [node]
 9: 0xd54c3b v8::internal::Factory::NewFillerObject(int, bool, v8::internal::AllocationType, v8::internal::AllocationOrigin) [node]
10: 0x109d21f v8::internal::Runtime_AllocateInYoungGeneration(int, unsigned long*, v8::internal::Isolate*) [node]
11: 0x1446379  [node]
/home/runner/work/_temp/01d55771-a649-4e87-9bae-d580139a42c6.sh: line 1:  1528 Aborted                 (core dumped) surge teardown "community-hashi-vault-pr209.surge.sh" --token ***
rany2 commented 2 years ago

https://github.com/Marak/colors.js/issues/285

DABH commented 2 years ago

Please just pin the colors dependency to 1.4.0, and see the following if you need additional context: https://github.com/Marak/colors.js/issues/285#issuecomment-1008212640

sintaxi commented 2 years ago

Looking into it. Thanks for reporting this.

sintaxi commented 2 years ago

Just published a patch release to fix this attack. It is surge@0.23.1. Install by running npm install -g surge.

Sorry this issue came up. I will consider pinning ALL dependencies moving forward to prevent an issue like this from happening again.