[Snyk: Med] Prototype Pollution (Due 07/05/2020)

[fec-jli]

Summary

Medium severity vulnerability found
Description: Prototype Pollution
Info: https://app.snyk.io/vuln/SNYK-JS-LODASH-567746
Prototype Pollution is a vulnerability affecting JavaScript.

Remediation: There is no fixed version for lodash.

Completion criteria:

• Check to see if there's a remediation path for this
• Consider/document alternatives or workaround to solve this security issue and do that thing

[pkfec]

1. Tried updating lodash to v4.17.15 in package.json
2. deleted the package-lock.json from local : rm - rf package-lock.json
3. deleted the node_modules from local : rm - rf node_modules/
4. installed npm pkgs again : npm i and npm run build
5. from CLI ran : synk test
6. proto type pollution vulnerability still exists on openFEC repo.

The latest version of lodash pkg still do not have the patch/remediation for Prototype Pollution yet. At this point there is nothing i can do and wait for the PATCH to be released here (https://app.snyk.io/vuln/SNYK-JS-LODASH-567746)

[pkfec]

Patch yet to be release for Lodash v4.17.15. Until then moving this ticket to blocked section.

[rfultz]

@pkfec looking through the repo, things are going to be complicated.

• It doesn't look like our code is using lodash at all—no references to lodash anywhere in code that we wrote or maintain. We have it listed as a dev dependency but I suspect that's only to dictate a minimum version for other dependencies.
• I can't find any reference to .objectDeep so maybe we're at lower risk
• However, several other packages are using lodash, and those packages may all need updates, depending on how lodash implements the fix (with their PR #4759).
• Packages involved (who may all need to update), npm ls lodash:
  • babel-core
    • babel-generator
    • babel-register
    • babel-template
    • babel-traverse
    • babel-types
  • babel-preset-env
    • babel-plugin-transform-es2015-block-scoping
    • babel-plugin-transform-es2015-classes
      • babel-helper-define-map
    • babel-plugin-transform-es2015-sticky-regex
      • babel-helper-regex
  • css-loader
  • eslint
    • inquirer
    • table
  • extract-text-webpack-plugin
    • async
  • swagger-tools
    • json-refs
      • graphlib
  • webpack-dev-server
    • http-proxy-middleware
• I wonder if moving these ☝️ to devDependencies would break anything, and maybe lower our risk

[rfultz]

Should we mark this as a dupe of #3740 ?

[lbeaufort]

It looks like a fix was made but a release still needs to be pushed: https://github.com/lodash/lodash/issues/4837

[pkfec]

Notified security team that this issue is BLOCKED until the LODASH package is fixed in a later version.
See here: https://app.snyk.io/vuln/SNYK-JS-LODASH-567746

[lbeaufort]

Looks like a fix is ready: https://github.com/lodash/lodash/issues/4837#issuecomment-655648024

[pkfec]

Lodash v4.17.19 is released just 13 hours ago. I am going to upgrade to this new version and test the openFEC repo. And a PR will be soon ready for review.

[pkfec]

It seems @lbeaufort audited the npm pkg yesterday and upgraded lodash package already to 4.17.17 on openFEC/develop.
see here for code changes : https://github.com/fecgov/openFEC/blob/develop/package.json#L43.

I ran the CLI command snyk test on openFEC/develop branch, Prototype Pollution snyk vulnerability is resolved already.

No code changes are needed. Closing this issue.