CLI 2 critical severity vulnerabilities

usebruno / bruno

Opensource IDE For Exploring and Testing Api's (lightweight alternative to postman/insomnia)

https://www.usebruno.com/

MIT License

25.89k stars 1.18k forks source link

CLI 2 critical severity vulnerabilities #922

Open bourpie opened 11 months ago

bourpie commented 11 months ago

When installing CLI on Node V. 18.14.1, I get this message

npm WARN deprecated vm2@3.9.19: The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider 
migrating your code to isolated-vm.

changed 146 packages, and audited 147 packages in 11s

34 packages are looking for funding
  run `npm fund` for details

2 critical severity vulnerabilities

Its-treason commented 11 months ago

vm2 has been deprecated for a while now, and we already planned to update to a different library here #263.

The vulnerabilities in vm2 allow for malicious code to escape the sandbox. I think if you only run trusted request scripts it should be fine for now, but we will definitely address this in the future.

chriswarkentin commented 8 months ago

I would say that this should be fairly high priority if you're looking to drive adoption. I'm evaluating Bruno to use at my workplace and things like that will definitely raise eyebrows. I wanted to test the cli but immediately uninstalled it when confronted by those security warnings.

camba1 commented 6 months ago

Is there any progress on this? I love Bruno, but unfortunately cannot use the CLI until this is addressed and thus cannot use it to automate API testing

Its-treason commented 6 months ago

Is there any progress on this? I love Bruno, but unfortunately cannot use the CLI until this is addressed and thus cannot use it to automate API testing

Not really, I opened a second PR that replaced vm2 with the native vm module. But this did not get any attention yet.

qury commented 4 months ago

Are there any plans from the main contributors to fix any of the critical bugs?

As of today this is what i get from npm audit: 44 vulnerabilities (31 moderate, 9 high, 4 critical)

Critical packages being:

vm2
- vm2 Sandbox Escape vulnerability - https://github.com/advisories/GHSA-cchq-frgv-rjh5
- vm2 Sandbox Escape vulnerability - https://github.com/advisories/GHSA-g644-9gfx-q4q4
underscore
- Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
minimist
- Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
- Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h

treynolds011 commented 3 months ago

I know that there has been some discussion of getting this fixed but I would love to start using the cli in my environment but can't until this is fixed.

cemerick1 commented 3 months ago

I agree with the above comments about this getting fixed so we can use it in our CI/CD pipelines.

tonytvo commented 3 months ago

it's very critical that we can get command line for bruno working for CI/CD as CI/CI is very critical components in software development and will definitely drive adoption for bruno. It would be greatly appreciated, it we could get this fix soon, it stops me from using it in my workplace

brvaland commented 1 week ago

Is it possible to share timelines when this issue will be resolved ?

This is critical security vulnerability which needs to resolved before we can use bru cli in cd/ci pipelines.