search

webdriverio-boneyard / wdio-selenium-standalone-service

WebdriverIO v4 service to start & stop Selenium Standalone http://webdriver.io
MIT License
54 stars 28 forks source link

NSP reports vulnerability using hoek@2.16.3 #49

Closed akselnordal closed 6 years ago

akselnordal commented 6 years ago

When running nsp@^3.2.1 check for vulnerabilities, it reports the following vulnerability

┌────────────┬────────────────────────────────────────────────────────────────────┐
│            │ Prototype pollution attack                                         │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Name       │ hoek                                                               │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ CVSS       │ 4 (Medium)                                                         │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Installed  │ 2.16.3                                                             │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Vulnerable │ <= 4.2.0 || >= 5.0.0 < 5.0.3                                       │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Patched    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                        │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Path       │ XXX > wdio-selenium-standalone-service@0.0.10 >       │
│            │ selenium-standalone@6.14.0 > request@2.79.0 > hawk@3.1.3 >         │
│            │ hoek@2.16.3                                                        │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ More Info  │ https://nodesecurity.io/advisories/566                             │
└────────────┴────────────────────────────────────────────────────────────────────┘

This vulnerability will usually not pop up when part of the devDepencies, but if nsp is setup to check devDepencies as well (as retire.js also does) - it pops up.

Setup: Node@8.10.0

Testscript:

    "test:security": "nsp check --preprocessor dev-dependencies --threshold 4",

And in the root folder, add this file: nsp-preprocessor-dev-depencies.js

/* eslint object-shorthand: 0 */
const pkg = require('../package.json');

function check(args) {
  // do something to read or generate package.json, npm-shrinkwrap.json and package-lock.json
  // the path to the project can be found as `args.path`
  // `pkg` must be the JSON parsed contents of package.json
  // `shrinkwrap` must be the JSON parsed contents of npm-shrinkwrap.json, if it exists. this may be left out.
  // `packagelock` must be the JSON parsed contents of package-lock.json, if it exists. this may also be left out.
  // return Object.assign(args, { pkg, shrinkwrap, packagelock });
  const allDeps = Object.assign({}, pkg, {
    dependencies: pkg.devDependencies,
  });
  const argsWithAllDeps = Object.assign(args, { pkg: allDeps });
  return argsWithAllDeps;
}

module.exports = {
  check,
};
christian-bromann commented 6 years ago

We can't fix this. We need to wait until selenium-standalone has upgraded their dependencies.

akselnordal commented 6 years ago

Thanks, I agree. Creating a new issue at the selenium-standalone repo https://github.com/vvo/selenium-standalone/issues/360