Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update minimum request version to enforce security fix in tough-cookie dependency #425

Merged
merged 1 commit into from Oct 5, 2017
Merged

Update minimum request version to enforce security fix in tough-cookie dependency #425

merged 1 commit into from Oct 5, 2017

Conversation

quentinR
Copy link
Contributor

@quentinR quentinR commented Oct 2, 2017
edited

Update the version of the request dependency, due to a security issue in the tough-cookie library

The tough-cookie module is vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds.

tough-cookie vulnerability
request update

@slnode
Copy link

slnode commented Oct 2, 2017

Can one of the admins verify this patch? To accept patch and trigger a build add comment ".ok\W+to\W+test."

@slnode
Copy link

slnode commented Oct 2, 2017

Can one of the admins verify this patch?

2 similar comments
@slnode
Copy link

slnode commented Oct 2, 2017

Can one of the admins verify this patch?

@slnode
Copy link

slnode commented Oct 2, 2017

Can one of the admins verify this patch?

@quentinR quentinR force-pushed the tough-cookie-sec-update branch 4 times, most recently from f51fb67 to 53231b4 Compare October 2, 2017 17:46
bajtos
bajtos suggested changes Oct 3, 2017
View reviewed changes
Copy link
Member

@bajtos bajtos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @quentinR, thank you for the pull request!

package.json Outdated
@@ -32,7 +32,7 @@
"loopback-phase": "^1.3.0",
"mux-demux": "^3.7.9",
"qs": "^6.2.1",
"request": "^2.55.0",
"request": "~2.83.0",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW, ^2.55.0 will install the latest 2.x.y version of request, which includes 2.83.0. This change is not needed in the strict sense.

However, I think it makes sense to disallow older request version because they have a know security vulnerability, therefore I am fine with bumping up this version.

Please preserve the carrot operator ^, we don't use ~.

As can be seen from this comment, using ^ allows us to receive latest security fixes, while ~ would require us to update our dependencies whenever a security issue is fixed, and then our consumer would possibly have to update their dependencies too.

@bajtos
Copy link
Member

bajtos commented Oct 3, 2017

@slnode ok to test

@bajtos bajtos self-assigned this Oct 3, 2017
@quentinR
Copy link
Contributor Author

quentinR commented Oct 3, 2017

@bajtos thanks for the review, I updated my PR regarding your comment.
Let me know if you want me to squash the commits.

@bajtos
Update minimum request version to 2.83
7429142 
Enforce our users to upgrade to a recent request version that contains
latest security fixes:

 - tough-cookie vulnerability: https://nodesecurity.io/advisories/525
 - request update: request/request#2776
bajtos
bajtos approved these changes Oct 5, 2017
View reviewed changes
Copy link
Member

@bajtos bajtos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

I have squashed the commits myself and edited the commit message to follow our 50/72 style.

Let's wait for CI results before landing.

@bajtos bajtos changed the title Updating request due to security fix of the tough-cookie dependecy. Update minimum request version due to security fix in tough-cookie dependecy Oct 5, 2017
@bajtos bajtos changed the title Update minimum request version due to security fix in tough-cookie dependecy Update minimum request version to enforce security fix in tough-cookie dependecy Oct 5, 2017
@bajtos bajtos changed the title Update minimum request version to enforce security fix in tough-cookie dependecy Update minimum request version to enforce security fix in tough-cookie dependency Oct 5, 2017
@bajtos bajtos merged commit 15ab1dd into strongloop:master Oct 5, 2017
@bajtos
Copy link
Member

bajtos commented Oct 5, 2017

Landed, thank you for the contribution! 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bajtos bajtos bajtos approved these changes

@clark0x clark0x Awaiting requested review from clark0x

@ebarault ebarault Awaiting requested review from ebarault ebarault is a code owner

@fabien fabien Awaiting requested review from fabien fabien is a code owner

@lehni lehni Awaiting requested review from lehni

@ritch ritch Awaiting requested review from ritch ritch is a code owner

@superkhau superkhau Awaiting requested review from superkhau

@zbarbuto zbarbuto Awaiting requested review from zbarbuto zbarbuto is a code owner

Assignees

@bajtos bajtos

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@quentinR @slnode @bajtos