search

thirdweb-dev / js

Best in class web3 SDKs for Browser, Node and Mobile apps
https://thirdweb.com
Apache License 2.0
466 stars 389 forks source link

@openzeppelin/contracts <=4.9.5 dependency Security alert high #2445

Closed arpu closed 8 months ago

arpu commented 8 months ago

Hi,

after using sdk and react sdk >= 4 we get this high Security alert 

@openzeppelin/contracts  <=4.9.5
Severity: high
GovernorCompatibilityBravo incorrect ABI encoding may lead to unexpected behavior - https://github.com/advisories/GHSA-m6w8-fq7v-ph4m
OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers - https://github.com/advisories/GHSA-4g63-c64m-25w9
OpenZeppelin Contracts initializer reentrancy may lead to double initialization - https://github.com/advisories/GHSA-9c22-pwxw-p6hx
OpenZeppelin Contracts's GovernorVotesQuorumFraction updates to quorum may affect past defeated proposals - https://github.com/advisories/GHSA-xrc4-737v-9q75
OpenZeppelin Contracts's ERC165Checker may revert instead of returning false - https://github.com/advisories/GHSA-qh9x-gcfh-pcrw
OpenZeppelin Contracts vulnerable to ECDSA signature malleability - https://github.com/advisories/GHSA-4h98-2769-gh6h
Improper Initialization in OpenZeppelin - https://github.com/advisories/GHSA-88g8-f5mf-f5rj
GovernorCompatibilityBravo may trim proposal calldata - https://github.com/advisories/GHSA-93hq-5wgc-jc82
OpenZeppelin Contracts ERC165Checker unbounded gas consumption - https://github.com/advisories/GHSA-7grf-83vw-6f5x
OpenZeppelin Contracts vulnerable to Improper Escaping of Output - https://github.com/advisories/GHSA-g4vp-m682-qqmp
OpenZeppelin Contracts using MerkleProof multiproofs may allow proving arbitrary leaves for specific trees - https://github.com/advisories/GHSA-wprv-93r4-jj2p
OpenZeppelin Contracts TransparentUpgradeableProxy clashing selector calls may not be delegated - https://github.com/advisories/GHSA-mx2q-35m2-x2rh
OpenZeppelin Contracts's governor proposal creation may be blocked by frontrunning - https://github.com/advisories/GHSA-5h3x-9wvq-w4m2
OpenZeppelin Contracts base64 encoding may read from potentially dirty memory - https://github.com/advisories/GHSA-9vx6-7xxf-x967
fix available via `npm audit fix --force`
Will install @thirdweb-dev/sdk@3.10.54, which is a breaking change
node_modules/@chainlink/contracts/node_modules/@openzeppelin/contracts
node_modules/@openzeppelin/contracts
node_modules/@openzeppelin/contracts-v0.7
  @chainlink/contracts  0.6.0 - 0.8.0
  Depends on vulnerable versions of @openzeppelin/contracts
  Depends on vulnerable versions of @openzeppelin/contracts
  node_modules/@chainlink/contracts
  @thirdweb-dev/contracts  >=3.8.5
  Depends on vulnerable versions of @chainlink/contracts
  Depends on vulnerable versions of @openzeppelin/contracts
  Depends on vulnerable versions of @openzeppelin/contracts-upgradeable
  node_modules/@thirdweb-dev/contracts
    @thirdweb-dev/contracts-js  <=0.0.0-dev-fcd866a-20230913222156 || >=1.3.12-nightly-088547f7-20230823175428
    Depends on vulnerable versions of @thirdweb-dev/contracts
    node_modules/@thirdweb-dev/contracts-js
      @thirdweb-dev/sdk  <=0.0.0-dev-ffb8112-20230830184339 || >=3.10.55-nightly-088547f7-20230823175428
      Depends on vulnerable versions of @thirdweb-dev/contracts-js
      node_modules/@thirdweb-dev/sdk
        @thirdweb-dev/react  <=0.0.0-dev-ffd23fc-20230715220148 || >=3.10.4-dev-20230309211336-d5a5a74
        Depends on vulnerable versions of @thirdweb-dev/react-core
        Depends on vulnerable versions of @thirdweb-dev/sdk
        Depends on vulnerable versions of @thirdweb-dev/wallets
        node_modules/@thirdweb-dev/react
        @thirdweb-dev/react-core  <=0.0.0-dev-ffd23fc-20230715220148 || >=3.10.4-dev-20230309211336-d5a5a74
        Depends on vulnerable versions of @thirdweb-dev/auth
        Depends on vulnerable versions of @thirdweb-dev/sdk
        Depends on vulnerable versions of @thirdweb-dev/wallets
        node_modules/@thirdweb-dev/react-core
      @thirdweb-dev/wallets  <=0.0.0-dev-ffd23fc-20230715220148 || >=0.2.9-dev-20230310112535-5565e00
      Depends on vulnerable versions of @blocto/sdk
      Depends on vulnerable versions of @safe-global/safe-ethers-adapters
      Depends on vulnerable versions of @thirdweb-dev/contracts-js
      Depends on vulnerable versions of @thirdweb-dev/sdk
      node_modules/@thirdweb-dev/wallets
        @thirdweb-dev/auth  <=0.0.0-dev-ffd23fc-20230715220148 || >=3.0.8-dev-20230310112535-5565e00
        Depends on vulnerable versions of @thirdweb-dev/wallets
        node_modules/@thirdweb-dev/auth

@openzeppelin/contracts-upgradeable  <=4.9.5
Severity: high
GovernorCompatibilityBravo may trim proposal calldata - https://github.com/advisories/GHSA-93hq-5wgc-jc82
OpenZeppelin Contracts vulnerable to Improper Escaping of Output - https://github.com/advisories/GHSA-g4vp-m682-qqmp
OpenZeppelin Contracts using MerkleProof multiproofs may allow proving arbitrary leaves for specific trees - https://github.com/advisories/GHSA-wprv-93r4-jj2p
OpenZeppelin Contracts TransparentUpgradeableProxy clashing selector calls may not be delegated - https://github.com/advisories/GHSA-mx2q-35m2-x2rh
OpenZeppelin Contracts's governor proposal creation may be blocked by frontrunning - https://github.com/advisories/GHSA-5h3x-9wvq-w4m2
OpenZeppelin Contracts base64 encoding may read from potentially dirty memory - https://github.com/advisories/GHSA-9vx6-7xxf-x967
fix available via `npm audit fix`
node_modules/@openzeppelin/contracts-upgradeable

looks like the deb comes from 

"node_modules/@thirdweb-dev/contracts": {
      "version": "3.10.3",
      "resolved": "https://registry.npmjs.org/@thirdweb-dev/contracts/-/contracts-3.10.3.tgz",
      "integrity": "sha512-wSVNaEoosn0AgUtnxlvv7rgK+3EUMzJm2ZasofPgJgqGS3gYH5nDBmK29VMquA2BLc38OAPyYMWc/iQCiCikMg==",
      "dependencies": {
        "@chainlink/contracts": "^0.6.1",
        "@openzeppelin/contracts": "4.7.3",
        "@openzeppelin/contracts-upgradeable": "4.7.3",
        "@thirdweb-dev/dynamic-contracts": "^1.1.2",
        "erc721a-upgradeable": "^3.3.0"
      },
      "engines": {
        "node": ">=18.0.0"
      }
    }

@warengonzaga let me know if you need any more Infos

warengonzaga commented 8 months ago

Hey there, thanks for the report. @MananTank or @joaquim-verges can you check this? Thanks!

joaquim-verges commented 8 months ago

thanks for the report @arpu - we're updating the contracts dependency which should resolve this warning

joaquim-verges commented 8 months ago

here's the PR https://github.com/thirdweb-dev/js/pull/2459

arpu commented 8 months ago

@joaquim-verges Thanks any plans to release this soon?

joaquim-verges commented 8 months ago

@arpu PR was merged today, will release in a little bit

joaquim-verges commented 8 months ago

Done

arpu commented 8 months ago

Hi @joaquim-verges not sure why at the moment but the securty alert is still shown

rpu@fedora:/run/media/arpu/work/CAPTIC/projects/1.0/marketplace$ npm list
marketplace@0.1.0 /run/media/arpu/work/CAPTIC/projects/1.0/marketplace
├── @thirdweb-dev/chains@0.1.80
├── @thirdweb-dev/react@4.4.20
├── @thirdweb-dev/sdk@4.0.47
├── @types/node@18.19.24
├── @types/react@18.2.66
├── eslint-config-next@13.5.6
├── eslint@8.57.0
├── ethers@5.7.2
├── next-nginx-routes@1.2.1
├── next@13.5.6
├── nextjs-progressbar@0.0.16
├── react-dom@18.2.0
├── react-hook-form@7.51.0
├── react-hot-toast@2.4.1
├── react@18.2.0
└── typescript@4.9.5

arpu@fedora:/run/media/arpu/work/CAPTIC/projects/1.0/marketplace$ npm audit
# npm audit report

@openzeppelin/contracts  <=4.9.5
Severity: high
GovernorCompatibilityBravo incorrect ABI encoding may lead to unexpected behavior - https://github.com/advisories/GHSA-m6w8-fq7v-ph4m
OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers - https://github.com/advisories/GHSA-4g63-c64m-25w9
OpenZeppelin Contracts initializer reentrancy may lead to double initialization - https://github.com/advisories/GHSA-9c22-pwxw-p6hx
OpenZeppelin Contracts's GovernorVotesQuorumFraction updates to quorum may affect past defeated proposals - https://github.com/advisories/GHSA-xrc4-737v-9q75
OpenZeppelin Contracts's ERC165Checker may revert instead of returning false - https://github.com/advisories/GHSA-qh9x-gcfh-pcrw
OpenZeppelin Contracts vulnerable to ECDSA signature malleability - https://github.com/advisories/GHSA-4h98-2769-gh6h
Improper Initialization in OpenZeppelin - https://github.com/advisories/GHSA-88g8-f5mf-f5rj
GovernorCompatibilityBravo may trim proposal calldata - https://github.com/advisories/GHSA-93hq-5wgc-jc82
OpenZeppelin Contracts ERC165Checker unbounded gas consumption - https://github.com/advisories/GHSA-7grf-83vw-6f5x
OpenZeppelin Contracts vulnerable to Improper Escaping of Output - https://github.com/advisories/GHSA-g4vp-m682-qqmp
OpenZeppelin Contracts using MerkleProof multiproofs may allow proving arbitrary leaves for specific trees - https://github.com/advisories/GHSA-wprv-93r4-jj2p
OpenZeppelin Contracts TransparentUpgradeableProxy clashing selector calls may not be delegated - https://github.com/advisories/GHSA-mx2q-35m2-x2rh
OpenZeppelin Contracts's governor proposal creation may be blocked by frontrunning - https://github.com/advisories/GHSA-5h3x-9wvq-w4m2
OpenZeppelin Contracts base64 encoding may read from potentially dirty memory - https://github.com/advisories/GHSA-9vx6-7xxf-x967
fix available via `npm audit fix --force`
Will install @thirdweb-dev/sdk@3.10.54, which is a breaking change
node_modules/@chainlink/contracts/node_modules/@openzeppelin/contracts
node_modules/@openzeppelin/contracts
node_modules/@openzeppelin/contracts-v0.7
  @chainlink/contracts  0.6.0 - 0.8.0
  Depends on vulnerable versions of @openzeppelin/contracts
  Depends on vulnerable versions of @openzeppelin/contracts
  node_modules/@chainlink/contracts
  @thirdweb-dev/contracts  >=3.8.5
  Depends on vulnerable versions of @chainlink/contracts
  Depends on vulnerable versions of @openzeppelin/contracts
  Depends on vulnerable versions of @openzeppelin/contracts-upgradeable
  node_modules/@thirdweb-dev/contracts
    @thirdweb-dev/contracts-js  <=0.0.0-dev-fcd866a-20230913222156 || >=1.3.12-nightly-088547f7-20230823175428
    Depends on vulnerable versions of @thirdweb-dev/contracts
    node_modules/@thirdweb-dev/contracts-js
      @thirdweb-dev/sdk  <=0.0.0-dev-ffb8112-20230830184339 || >=3.10.55-nightly-088547f7-20230823175428
      Depends on vulnerable versions of @thirdweb-dev/contracts-js
      node_modules/@thirdweb-dev/sdk
        @thirdweb-dev/react  <=0.0.0-dev-ffd23fc-20230715220148 || >=3.10.4-dev-20230309211336-d5a5a74
        Depends on vulnerable versions of @thirdweb-dev/react-core
        Depends on vulnerable versions of @thirdweb-dev/sdk
        Depends on vulnerable versions of @thirdweb-dev/wallets
        node_modules/@thirdweb-dev/react
        @thirdweb-dev/react-core  <=0.0.0-dev-ffd23fc-20230715220148 || >=3.10.4-dev-20230309211336-d5a5a74
        Depends on vulnerable versions of @thirdweb-dev/auth
        Depends on vulnerable versions of @thirdweb-dev/sdk
        Depends on vulnerable versions of @thirdweb-dev/wallets
        node_modules/@thirdweb-dev/react-core
      @thirdweb-dev/wallets  <=0.0.0-dev-ffd23fc-20230715220148 || >=0.2.9-dev-20230310112535-5565e00
      Depends on vulnerable versions of @blocto/sdk
      Depends on vulnerable versions of @safe-global/safe-ethers-adapters
      Depends on vulnerable versions of @thirdweb-dev/contracts-js
      Depends on vulnerable versions of @thirdweb-dev/sdk
      node_modules/@thirdweb-dev/wallets
        @thirdweb-dev/auth  <=0.0.0-dev-ffd23fc-20230715220148 || >=3.0.8-dev-20230310112535-5565e00
        Depends on vulnerable versions of @thirdweb-dev/wallets
        node_modules/@thirdweb-dev/auth

@openzeppelin/contracts-upgradeable  <=4.9.5
Severity: high
GovernorCompatibilityBravo may trim proposal calldata - https://github.com/advisories/GHSA-93hq-5wgc-jc82
OpenZeppelin Contracts vulnerable to Improper Escaping of Output - https://github.com/advisories/GHSA-g4vp-m682-qqmp
OpenZeppelin Contracts using MerkleProof multiproofs may allow proving arbitrary leaves for specific trees - https://github.com/advisories/GHSA-wprv-93r4-jj2p
OpenZeppelin Contracts TransparentUpgradeableProxy clashing selector calls may not be delegated - https://github.com/advisories/GHSA-mx2q-35m2-x2rh
OpenZeppelin Contracts's governor proposal creation may be blocked by frontrunning - https://github.com/advisories/GHSA-5h3x-9wvq-w4m2
OpenZeppelin Contracts base64 encoding may read from potentially dirty memory - https://github.com/advisories/GHSA-9vx6-7xxf-x967
fix available via `npm audit fix`
node_modules/@openzeppelin/contracts-upgradeable

axios  0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install @thirdweb-dev/react@3.10.3, which is a breaking change
node_modules/@json-rpc-tools/provider/node_modules/axios
node_modules/axios
  @json-rpc-tools/provider  <=2.0.0-beta.1
  Depends on vulnerable versions of axios
  node_modules/@json-rpc-tools/provider
    eip1193-provider  >=1.0.0
    Depends on vulnerable versions of @json-rpc-tools/provider
    node_modules/eip1193-provider
      @blocto/sdk  >=0.2.7-beta.0
      Depends on vulnerable versions of eip1193-provider
      node_modules/@blocto/sdk
  @safe-global/safe-ethers-adapters  *
  Depends on vulnerable versions of axios
  node_modules/@safe-global/safe-ethers-adapters
joaquim-verges commented 8 months ago

I think I see the issue, the contracts repo is itself pulling on older version of the SDK for it's scripts.

We'll get that fixed asap.

Cc @kumaryash90

joaquim-verges commented 8 months ago

@arpu we just released a new version of our packages which resolves most of the security warnings. Please update and let us know if its all good on your side.

Thanks again for the report!

arpu commented 8 months ago

Thanks!