Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Security vulnerabilities in deps https-proxy-agent, npm-packlist, yargs-parser, request, dot-prop, and execa #1490

Closed
juppala opened this issue Jul 4, 2020 · 0 comments
Closed

[BUG] Security vulnerabilities in deps https-proxy-agent, npm-packlist, yargs-parser, request, dot-prop, and execa #1490

juppala opened this issue Jul 4, 2020 · 0 comments
Labels
Bug thing that needs fixing

Comments

@juppala
Copy link

juppala commented Jul 4, 2020
edited

What / Why

npm dependencies https-proxy-agent, npm-packlist, yargs-parser, request, dot-prop, and execa are not updated in years and the package versions that npm cli using are having security vulnerabilities.

https-proxy-agent - The https-proxy-agent package is vulnerable to Man-in-the-Middle. The ondata and onsocket functions in index.js does not upgrade TLS connections like it normally does when connecting to a proxy that doesn't return a 200 response to the initial CONNECT request. Consequently, a MitM listening to this could potentially view sensitive data that would have otherwise been hidden by TLS.

npm-packlist - Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
npm-packlist - Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

yargs-parser - The yargs-parser package is vulnerable to Prototype Pollution. The setKey() function in the index.js file allows users to modify object prototypes by leveraging the proto property. A remote attacker can exploit this behavior to obtain information, cause a Denial of Service (DoS) condition, or to perform Remote Code Execution (RCE) depending on the context under which the affected object prototype is used by the application.

request - The request package is vulnerable to Weak Authentication Algorithm. The function function in oauth.js uses SHA-1 for authentication which is no longer considered cryptographically secure. With enough resources an attacker might be able to crack the authentication mechanism and cause security attacks.

dot-prop - The dot-prop package is vulnerable to Prototype Pollution attacks. The getPathSegments() function in the index.js file fails to restrict access to the prototypes of base objects and, consequently, allows for the modification of prototype behavior. An attacker can exploit this vulnerability by supplying data that overrides the base object's prototype's behavior which, depending on it's usage within the application, may allow the attacker to obtain sensitive information, perform a Denial of Service (DoS) attack, or execute malicious code.

execa - The execa package is vulnerable to Command Injection attacks. When using execa.shell(), execa.shellSync(), or execa() with shell=true, embedded parameters in the command string can be interpreted as additional OS commands. A remote attacker can exploit this behavior by submitting a crafted request that propagates a command to a parameter embedded in the input string for one of the aforementioned functions. Attackers may leverage this vulnerability to run arbitrary commands on the application server and setup a reverse shell.

When

  • Refer the links provided above, seems these issues exist from long time. But not addressed yet. We observed these issues as part of a security scan on nodejs docker image which internally uses npm CLI and it's dependencies.

Where

How

Current Behavior

Steps to Reproduce

Expected Behavior

  • Update the dependency packages mentioned above to nonvulnerable versions (refer FIX AVAILABLE VERSION column).
    https-proxy-agent : 2.2.4 to 3.0.0
    npm-packlist : 1.4.8 to 2.0.2
    yargs-parser : 9.0.2 to 13.1.2
    execa : 0.7.0 to 2.0.1
    dot-prop : 4.2.0 to 5.1.1
    request : 2.88.0 and fix is not available from request module at this point.

Who

References

  • n/a

Attachments with scan details

npm-vulnerabilities.zip
@juppala juppala changed the title [BUG] Security vulnerabilities in deps https-proxy-agent, npm-packlist, and yargs-parser [BUG] Security vulnerabilities in deps https-proxy-agent, npm-packlist, yargs-parser, request, dot-prop, and execa Jul 8, 2020
@SimenB SimenB mentioned this issue Jul 29, 2020
Closed
@darcyclarke darcyclarke added the Bug thing that needs fixing label Oct 30, 2020
@tomasAlabes tomasAlabes mentioned this issue Feb 2, 2021
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug thing that needs fixing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@darcyclarke @juppala