Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in shelljs dependency: CWE-772: Missing Release of Resource after Effective Lifetime #1149

Open
Gil-Littman opened this issue Feb 14, 2024 · 4 comments · May be fixed by #1153
Open

Vulnerability in shelljs dependency: CWE-772: Missing Release of Resource after Effective Lifetime #1149

Gil-Littman opened this issue Feb 14, 2024 · 4 comments · May be fixed by #1153
Assignees
@nfischer
Labels
security

Comments

@Gil-Littman
Copy link

ShellJS version (the most recent version/Github branch you see the bug on):

0.8.5

Description of the bug:

A transitive dependency of shelljs introduces a vulnerability. This can be solved by updating the glob version to 9.0.0 or higher.
@nfischer
Copy link
Member

I understand that this package is a transitive dependency, but do you know if the inflight vulnerability actually be exploited in glob? Snyk has a bad habit of flagging any "vulnerability" as something which needs fixing, without consideration of whether the warning actually applies to the downstream projects.

Unfortunately, glob@9 is not compatible with node v8, which is compatibility ShellJS still supports. Fixing this is not a trivial package upgrade.

@nfischer
Copy link
Member

#828 might be a possible path forward. I originally filed that ticket because fast-glob seemed to have nice perf wins, but switching to that would also mean we can avoid this dependency. I think it's mostly a drop-in replacement, but I see a few behavior differences around symlinks (both broken and non-broken). The behavior differences are clear since several tests are broken.

If someone wants to start a PR to move to fast-glob, let me know. I'm happy to review and provide guidance on the path forward.

@Gil-Littman
Copy link
Author

I don't know that the vulnerability is exploitable in glob (probably not), but I also don't know that it isn't.
I was hoping this would be a straight forward fix, I'm sorry to hear it isn't.
I'll keep an eye on #828

Thanks for your quick response.

nfischer added a commit that referenced this issue Feb 18, 2024
@nfischer
feat: switch to fast-glob
3015415 
This removes `node-glob` in favor of `fast-glob`. The main motivation
for this is because `node-glob` has a security warning and I can't
update to `node-glob@9` unless we drop compatibility for node v8.

Switching to `fast-glob` seems to be fairly straightforward, although
some options need to be changed by default for bash compatibility.

Fixes #828
Fixes #1149
@nfischer nfischer linked a pull request Feb 18, 2024 that will close this issue
Open
@nfischer
Copy link
Member

I think the switch to fast-glob was more straightforward than expected. I wrote up #1153 to do this.

Unfortunately we currently expose globOptions as part of our public API. I think deprecating this is the best path forward (I don't think anyone uses this API), however if there's a need for this then we may be able to manually convert node-glob parameters into the corresponding fast-glob parameters. https://www.npmjs.com/package/fast-glob#compatible-with-node-glob has a nice conversion table.

@nfischer nfischer self-assigned this Feb 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nfischer nfischer

Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

refactor: switch to fast-glob shelljs/shelljs
2 participants
@nfischer @Gil-Littman