[Project Dependencies] Vulnerability in the unset-value dependency

[priyaramu]

Is There An Existing Issue

• I have searched the issue tracker for similar problems.

What Are You Seeing

There is a high vulnerability reported by prisma while using newmna-reporter-htmlextra. The vulnerability is in unset-value 1.0.0 package which is a transitive dependency of @budibase/handlebars-helpers in newman-reporter-htmlextra. This is fixed in the unset-value 2.0.1 version.

Impacted versions: <2.0.1
Discovered: less than an hour ago
Published: 59 days ago
unset-value package versions before 2.0.1 are vulnerable to Prototype Pollution. unset() function in index.js files allows for access to object prototype properties. An attacker can exploit this to override the behavior of object prototypes, resulting in a possible Denial of Service (DoS), Remote Code Execution (RCE), or other unexpected behavior.

Steps To Reproduce The Issue

Run a prisma scan against a docker image which contains newman-reporter-htmlextra package (latest version)

Full Newman Command Or Node Script

newman run postman_collection.json -e env.environment.json \
      -r cli,htmlextra --reporter-htmlextra-export ./smoke-test-report.html

HTMLEXTRA Version

1.22.8

Newman Version

5.3.2

Additional Context

No response

[DannyDainton]

I don't know what primsa is @priyaramu - can you provide more context here.

[w4dd325]

It sounds like it is this reported vulnerability with the NPM 'unset-value' package;
https://snyk.io/vuln/npm:unset-value#:~:text=Direct%20Vulnerabilities,and%20provides%20fixes%20for%20free.

The full paper is here;
https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf

From the bits I have read, it appears a few of the dependencies used (eg; lodash/handlebars) would be vulnerable. The fix would be to ensure all dependencies are updated to the latest releases. (Which from a quick glance, they are).

[priyaramu]

I don't know what primsa is @priyaramu - can you provide more context here.

@DannyDainton Prisma tool is used to scan docker images and find the vulnerabilities if any -> https://prisma.pan.dev/docs/cloud/
https://prisma.pan.dev/docs/cloud/cwpp/twistcli_gs#scan-container-images-with-twistcli

[ackris]

@DannyDainton - this is still coming even after upgrading newman-reporter-htmlextra to 1.23.0. Is there any resolution to this?

unset-value is one of the transitive dependencies of newman-reporter-htmlextra.

=> Found "unset-value@1.0.0"
info Reasons this module exists
   - "=> Found "unset-value@1.0.0"
info Reasons this module exists
   - "newman-reporter-htmlextra#@budibase#handlebars-helpers#micromatch#snapdragon#base#cache-base" depends on it       
   - Hoisted from "newman-reporter-htmlextra#@budibase#handlebars-helpers#micromatch#snapdragon#base#cache-base#unset-value"
info Disk size without dependencies: "68KB"
info Disk size with unique dependencies: "132KB"
info Disk size with transitive dependencies: "236KB"
info Number of shared dependencies: 6
Done in 1.92s.#@budibase#handlebars-helpers#micromatch#snapdragon#base#cache-base" depends on it       
   - Hoisted from "newman-reporter-htmlextra#@budibase#handlebars-helpers#micromatch#snapdragon#base#cache-base#unset-value"
info Disk size without dependencies: "68KB"
info Disk size with unique dependencies: "132KB"
info Disk size with transitive dependencies: "236KB"
info Number of shared dependencies: 6
Done in 1.92s.

the above is the output yarn why unset-value.

Please let us know if a fix is planned for this. This is becoming a blocker of sorts in our organization.

[DannyDainton]

It's not something I'm working on, this project is not my day job and unfortunately those things will always take priority.

If this is some that you can fix or you want to contribute to the project - PRs are very welcome.

This goes without saying but your organisation has chosen to use a 3rd party tool that they basically have no control over, there is never any guarantees that it will continue to work forever...that's the nature of software.