execa 1.0.0 critical vulnerability exists in @angular-devkit/build-angular

[shaun-jacks]

🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑

Please read https://angular.io/guide/security#report-issues on how to disclose security related issues.

🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑

Information to Reproduce

@angular-devkit/build-angular version: 0.1102.6

Look at the nested dependencies of this package, you will see:
@angular-devkit/build-angular@0.1102.6 -> webpack-dev-server@3.11.2 -> internal-ip@^4.3.0 -> default-gateway@^4.2.0 -> execa@^1.0.0

Description

Execa ^1.0.0 is a critical vulnerability flagged in gitlab dependency scanner, and exists as a nested dependency in the @angular-devkit/build-angular package.

Here is the dependency scanning output I am receiving for all angular projects,

name: "Uncontrolled Search Path Element"
message: "Uncontrolled Search Path Element in execa"
severity: "Critical",
description: "Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application."
solution: "Upgrade to version 2.0.0 or above."
Identifier: "gemnasium"

Possible Solution

I believe upgrading to a version of webpack-dev-server that does not have execa ^1.0.0 as a dependency will fix this issue.

It looks like webpack-dev-server uses a version of internal-ip package that fixes this and this will be released in version 4. Although they also have **/sane/execa@^1.0.0 as a dependency due to jest. And jest v27 will remove sane/execa@1.0.0 from its dependencies as well. jestjs/jest#10919

For now, users that use yarn as a package manager can place

    "**/webpack-dev-server/internal-ip": "^5.0.0",
    "**/sane/execa": "^2.0.0"

in the resolutions of their package.json, but this is not an ideal solution.

I would appreciate any updates on execa 1.0.0 being removed as a nested dependency, as it affects all angular app dependencies. Thank you!

[alan-agius4]

Hi,

Typically we don't expect that the CLI is present in production enviorment where this vulnerability can be exploited.

Unfortunately, we cannot update to webpack-dev-server outside of a major as this on it's own is considered as a breaking change, additionally webpack-dev-server version 4 is still not stable.

At this point, there is nothing actionable from our end here. I suggest to open an issue with webpack-dev-server to fix the vulnerability issue in the stable version of the package.

[clydin]

Also of note is that with webpack-dev-server 3, the internal-ip package is only used when the useLocalIp option is enabled. This option is not used by @angular-devkit/build-angular.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}