Hawk dependency causes security risk

[lightkraken]

I recently ran a Node Security scan on a project that uses Request and found a security issue related to the version of Hawk (and subsequently Hoek) that Request is using.

request@2.83.0 > hawk@6.0.2 > hoek@4.2.0

https://nodesecurity.io/advisories/566
https://hackerone.com/reports/310439

[KittyGiraudel]

Yup! Same one, with different path (for some reason…?):

request@2.83.0 > hawk@3.1.3 > hoek@2.16.3

[andreasvoigt]

Latest hawk version is 7.0.7 which uses hoek@5.x.x.
Updating to that version would fix the problem.

[erik-beus]

This is also an issue with earlier releases. We use node-sass which uses request ~2.79.0 that uses hawk@3.1.3. Would it be possible to patch earlier releases with the latest version of hawk as well?
Otherwise I will open an issue in the node-sass repo to upgrade their version of request.

Btw hoek@4.2.1 has a fix for the security issue (see https://github.com/hapijs/hoek/pull/231/files)
I believe that solves the issue for hawk@6.0.2 since it uses hoek@4.x.x?

[ferrao]

Bcrypt, with more than half a million downloads last month according to npm is also vulnerable to the Prototype Pollution Attack due to bcrypt@1.0.3 > node-pre-gyp@0.6.36 > request@2.83.0 > hawk@6.0.2 > hoek@4.2.0

[erik-beus]

@ferrao there is an open issue in node-pre-gyp for this mapbox/node-pre-gyp#346

[b4dnewz]

Just update hawk line to >= v7.x.x hoek has been updated to last which is patched according to nsp:

┌────────────┬────────────────────────────────────────────────────────────────────┐
│            │ Prototype pollution attack                                         │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Name       │ hoek                                                               │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ CVSS       │ 4 (Medium)                                                         │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Installed  │ 4.2.0                                                              │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Vulnerable │ <= 4.2.0 || >= 5.0.0 < 5.0.3                                       │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Patched    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                        │
└────────────┴────────────────────────────────────────────────────────────────────┘

[dutscher]

+1

[esrose]

Is there a timeline for publishing 2.83.2 with the new hawk version to resolve this issue?

[jwalton]

@preeteshjain raised a PR, but there are a number of test failures, so it might not be a trivial fix.

[preeteshjain]

@jwalton There's definitely some issue with the CI integration. I checked on Travis, it is failing with this error for everyone:

npm ERR! code ELIFECYCLE
npm ERR! errno 6
npm ERR! request@2.83.1 test-ci: `taper tests/test-*.js`
npm ERR! Exit status 6
npm ERR! 
npm ERR! Failed at the request@2.83.1 test-ci script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.
npm ERR! A complete log of this run can be found in:
npm ERR!     /home/travis/.npm/_logs/2018-03-03T22_16_02_776Z-debug.log
npm ERR! Test failed.  See above for more details.

See this comment: #2871 (comment)

[b4dnewz]

@preeteshjain actually for me the tests doesn't work locally either

[denghongcai]

-1

break node6 support
https://travis-ci.org/request/request/jobs/352225158

[saitho]

break node6 support

Then we should update the required NodeJS version for request to a version that is working... ;) Also since the current LTS is 8,10,0 I don't see a point to insist on using NodeJS 6.
If this package is using semantic versioning that would mean a v3.0.0. ;) @simov

[kara-ryli]

so since the current LTS is 8,10,0 I don't see a point to insist on using NodeJS 6.

Boron is in LTS until April 2019. Please do not break v6 support until it enters EOL.

[joshrickert]

Hoek's backported the fix and released it with 4.2.1, which satisfies the required versions all the way up the dependency tree without needing any changes in this repo. I was able to clear out the security notice by forcing an update:

npm install hoek@4.2.1 --save
npm uninstall hoek --save

Clearing out your node_modules and package-lock.json then running a fresh npm install should also do the trick.

[benwiggins]

Yep. hoek 4.2.1 was released 2 months ago to fix the vulnerability.

hawk@6.0.2's dependency on hoek is pinned at 4.x, meaning that if you reinstall fresh you should be pulling down 4.2.1. If you are pulling down 4.2.0 that is an issue with your project/package manager, not request.

[compulim]

And now hoek<~5.0.3 has vulnerability, in CVE-2018-3728.

[webextensions]

This seems to have been fixed. See:
#2893
#2893 (comment)

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.