Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Snyk Vulnerability: 3 High Severity Vulnerability Found in Angular 9.1.0 #17388

Closed
kumaran-is opened this issue Apr 3, 2020 · 7 comments · Fixed by #17525
Closed

Snyk Vulnerability: 3 High Severity Vulnerability Found in Angular 9.1.0 #17388

kumaran-is opened this issue Apr 3, 2020 · 7 comments · Fixed by #17525
Assignees
@alan-agius4
Labels
area: schematics/angular freq3: high severity6: security type: bug/fix
Milestone
Backlog

Comments

@kumaran-is
Copy link

🐞 bug report

Affected Package

Angular 9 uses vulnerable version of dependency package karma@4.1.0 and http-server@0.11.1. For more detail, refer to the description section

Is this a regression?

This Vulnerability was there in version 9.0.x

Description

Angular 9.1.0 has 3 high-severity vulnerabilities:

✗ High severity vulnerability found in useragent
Description: Regular Expression Denial of Service (ReDoS)
Info: https://snyk.io/vuln/SNYK-JS-USERAGENT-174737
Introduced through: karma@4.1.0
From: karma@4.1.0 > useragent@2.3.0

✗ High severity vulnerability found in qs
Description: Prototype Override Protection Bypass
Info: https://snyk.io/vuln/npm:qs:20170213
Introduced through: http-server@0.11.1
From: http-server@0.11.1 > union@0.4.6 > qs@2.3.3

✗ High severity vulnerability found in ecstatic
Description: Denial of Service (DoS)
Info: https://snyk.io/vuln/SNYK-JS-ECSTATIC-540354
Introduced through: http-server@0.11.1
From: http-server@0.11.1 > ecstatic@3.3.2

For complete SNYK report, refer the attachment

🌍 Your Environment

Angular Version:



Angular CLI: 9.1.0
Node: 12.13.0
OS: darwin x64

Angular: 
... 
Ivy Workspace: 

Package                      Version
------------------------------------------------------
@angular-devkit/architect    0.901.0
@angular-devkit/core         9.1.0
@angular-devkit/schematics   9.1.0
@schematics/angular          9.1.0
@schematics/update           0.901.0
rxjs                         
[angular 9.1.x snyk-output.txt](https://github.com/angular/angular/files/4429037/angular.9.1.x.snyk-output.txt)
6.5.4
@kumaran-is
Copy link
Author

angular 9.1.x snyk-output.txt

@kara
Copy link
Contributor

kara commented Apr 3, 2020

The framework itself does not ship with those dependencies, but the CLI does use them. Transferring this issue to the CLI team for investigation.

@kara kara transferred this issue from angular/angular Apr 3, 2020
@clydin
Copy link
Member

clydin commented Apr 3, 2020
edited

http-server is not a dependency of the Angular CLI nor installed within a new project. This was most likely installed manually within the project.

karma, however, is installed within a new project. To rectify the useragent package warning, karma would need to either change dependencies or wait for an update to the package. There is an open issue with the useragent project from June 2019 regarding this issue (3rd-Eden/useragent#147). However, no releases have been made.

@devoto13
Copy link
Contributor

devoto13 commented Apr 3, 2020

Karma has already switched to a different UA parser, but not released yet: karma-runner/karma#3440.

@kumaran-is
Copy link
Author

Karma release v5.0.0 is out https://github.com/karma-runner/karma/blob/master/CHANGELOG.md

@alan-agius4 alan-agius4 self-assigned this Apr 22, 2020
@ngbot ngbot bot added this to the Backlog milestone Apr 22, 2020
@alan-agius4 alan-agius4 mentioned this issue Apr 22, 2020
Merged
@alan-agius4 alan-agius4 linked a pull request Apr 22, 2020 that will close this issue
fix(@schematics/angular): generate new projects with Karma v5 #17525
Merged
kyliau pushed a commit that referenced this issue Apr 22, 2020
@alan-agius4 @kyliau
fix(@schematics/angular): generate new projects with Karma v5
4060499 
With this change we generate new workspaces with Karma version 5.
The previous version has several security vulnerabilities which were addressed in version 5.

Closes #17388 and closes #17241
@alan-agius4
Copy link
Collaborator

Closed via #17525

@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators May 23, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@alan-agius4 alan-agius4

Labels
area: schematics/angular freq3: high severity6: security type: bug/fix
Projects
None yet
Milestone
Backlog
Development

Successfully merging a pull request may close this issue.

fix(@schematics/angular): generate new projects with Karma v5
6 participants
@IgorMinar @devoto13 @kara @kumaran-is @alan-agius4 @clydin