search

supnate / rekit

IDE and toolkit for building scalable web applications with React, Redux and React-router
http://rekit.js.org
MIT License
4.47k stars 258 forks source link

High Severity Vulnerbility in Rekit-core #221

Open nrydevopswatch opened 4 years ago

nrydevopswatch commented 4 years ago

Hello,

Is there a workaround for this? It makes it unusable for our project as Rekit-Core currently includes "decompress" NPM package with a high severity vulnerability.

=== npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐ │ Manual Review │ │ Some vulnerabilities require your attention to resolve │ │ │ │ Visit https://go.npm.me/audit-guide for additional guidance │ └──────────────────────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Arbitrary File Write │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ decompress │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ No patch available │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ rekit-core │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ rekit-core > download-git-repo > download > decompress │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1217 │ └───────────────┴──────────────────────────────────────────────────────────────┘ found 1 high severity vulnerability in 2148395 scanned packages

nrydevopswatch commented 4 years ago

Here is the output from a scan using Snyk:

Tested 1870 dependencies for known issues, found 19 issues, 21 vulnerable paths.

Issues with no direct upgrade or patch: ✗ Arbitrary File Write via Archive Extraction (Zip Slip) [Medium Severity][https://snyk.io/vuln/SNYK-JS-DECOMPRESS-557358] in decompress@4.2.0 introduced by rekit-core@3.0.0 > download-git-repo@1.1.0 > download@5.0.3 > decompress@4.2.0 No upgrade or patch available ✗ Arbitrary File Write via Archive Extraction (Zip Slip) [Medium Severity][https://snyk.io/vuln/SNYK-JS-DECOMPRESSTAR-559095] in decompress-tar@4.1.1 introduced by rekit-core@3.0.0 > download-git-repo@1.1.0 > download@5.0.3 > decompress@4.2.0 > decompress-tar@4.1.1 and 2 other path(s) No upgrade or patch available ✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/SNYK-JS-DOTPROP-543489] in dot-prop@4.2.0 introduced by sw-precache-webpack-plugin@1.0.0 > sw-precache@5.2.1 > update-notifier@2.5.0 > configstore@3.1.2 > dot-prop@4.2.0 This issue was fixed in versions: 5.1.1 ✗ Use After Free [High Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-535497] in node-sass@4.13.1 introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1 No upgrade or patch available ✗ Out-of-Bounds [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-535498] in node-sass@4.13.1 introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1 No upgrade or patch available ✗ NULL Pointer Dereference [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-535502] in node-sass@4.13.1 introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1 No upgrade or patch available ✗ Out-of-bounds Read [High Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540956] in node-sass@4.13.1 introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1 No upgrade or patch available ✗ Out-of-bounds Read [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540958] in node-sass@4.13.1 introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1 No upgrade or patch available ✗ Uncontrolled Recursion [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540964] in node-sass@4.13.1 introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1 No upgrade or patch available ✗ NULL Pointer Dereference [High Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540974] in node-sass@4.13.1 introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1 No upgrade or patch available ✗ Denial of Service (DoS) [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540978] in node-sass@4.13.1 introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1 No upgrade or patch available ✗ Denial of Service (DoS) [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540980] in node-sass@4.13.1 introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1 No upgrade or patch available ✗ Out-of-bounds Read [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540990] in node-sass@4.13.1 introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1 No upgrade or patch available ✗ NULL Pointer Dereference [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540992] in node-sass@4.13.1 introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1 No upgrade or patch available ✗ NULL Pointer Dereference [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540994] in node-sass@4.13.1 introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1 No upgrade or patch available ✗ Out-of-bounds Read [High Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540996] in node-sass@4.13.1 introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1 No upgrade or patch available ✗ Out-of-Bounds [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540998] in node-sass@4.13.1 introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1 No upgrade or patch available ✗ Use After Free [High Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-541000] in node-sass@4.13.1 introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1 No upgrade or patch available ✗ Out-of-bounds Read [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-541002] in node-sass@4.13.1 introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1 No upgrade or patch available

Organization: nrydevopswatch Package manager: npm Target file: package-lock.json Project name: blackbird-scanner Open source: no Project path: /home/rbruscoe/dev/blackbird-scanner Licenses: enabled

Run snyk wizard to address these issues.

supnate commented 4 years ago

Hello, are you using rekit 2.x? For 3.x rekit-core is no longer a dependency of the projects.

nrydevopswatch commented 4 years ago

I'm using Rekit 3.0.0 and I followed the instructions to build it on your README.md for a new project.

nrydevopswatch commented 4 years ago

I just removed Rekit-Core 3.0.0 from the 'package.json'; deleted the 'package-lock.json' and the 'node_modules' folder. Then I did a fresh 'npm install' and tried to then do 'npm start' but it failed with several errors saying it could not find the 'rekit-core' dependency.