Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider to rewrite without prototype pollution? #771

Closed
beenotung opened this issue Feb 15, 2021 · 11 comments
Closed

Consider to rewrite without prototype pollution? #771

beenotung opened this issue Feb 15, 2021 · 11 comments

Comments

@beenotung
Copy link

beenotung commented Feb 15, 2021
edited

Version: 5/6/7/8

Environment:

  • Operating system: any
  • Browser: any
  • Node.js: any

Expected result:
The library should be free of vulnerability

Actual result:
The library depends on fusing@1.0.0, which depends on predefined@0.1.2, which has vulnerability of "Prototype Pollution"

Steps to reproduce:
Check the primus vulnerability report from below websites:

  1. https://snyk.io/test/npm/primus/
  2. https://snyk.io/vuln/SNYK-JS-PREDEFINE-1054935

Is this a false positive vulnerability report?
@lpinca
Copy link
Member

lpinca commented Feb 17, 2021

The predefine vulnerability should be fixed but it should not affect primus due to how it is used internally. No untrusted input is used.

@beenotung
Copy link
Author

Thanks for the review.
Would it be possible to "whitelist" this vulnerability report from snyk.io?

@lpinca
Copy link
Member

lpinca commented Mar 28, 2021

I think you can ignore it using the Snyk CLI. See https://support.snyk.io/hc/en-us/articles/360003851317-Ignore-vulnerabilities.

@davedoesdev
Copy link
Contributor

npm audit is still reporting a vulnerability:

# npm audit report

predefine  *
Severity: critical
Prototype pollution vulnerability in 'predefine' - https://github.com/advisories/GHSA-mx3x-ghqm-r43h
fix available via `npm audit fix --force`
Will install primus@2.0.4, which is a breaking change
node_modules/predefine
  fusing  *
  Depends on vulnerable versions of predefine
  node_modules/fusing
    primus  >=2.1.0
    Depends on vulnerable versions of fusing
    node_modules/primus

3 critical severity vulnerabilities

@davedoesdev
Copy link
Contributor

Dependabot too:

CVE-2020-28280
critical severity
Vulnerable versions: <= 0.1.2
Patched version: No fix
Prototype pollution vulnerability in 'predefine' versions 0.0.0 through 0.1.2 allows an attacker to cause a denial of service and may lead to remote code execution.

@lpinca
Copy link
Member

lpinca commented Nov 13, 2021
edited

There is an open PR to fix the issue in the predefine repository but I am not a maintainer of that package. I'll try to ping @3rd-Eden on Twitter.

@davedoesdev
Copy link
Contributor

@lpinca thanks - any news?

@lpinca
Copy link
Member

lpinca commented Nov 25, 2021
edited

No answer from @3rd-Eden. I sent a ping also yesterday. We could fork predefine but it is a shame because it would leave any previous primus version "vulnerable".

@lpinca
Copy link
Member

lpinca commented Jan 30, 2022

predefine@0.1.3 has been released. We can finally close this. Thank you @Swaagie!

@lpinca lpinca closed this as completed Jan 30, 2022
@davedoesdev
Copy link
Contributor

Thanks @lpinca and @Swaagie

@MateuszKikmunter
Copy link

Has it been really solved? Still getting prototype pollution from Synk reports. Or is it safe to ingore this with the Snyk CLI? @lpinca
Screenshot 2022-02-21 at 17 50 22

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lpinca @davedoesdev @beenotung @MateuszKikmunter