FIX - updated grpc due to security vuln #100
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
* | ||
* @global | ||
* @constant | ||
* @type {Object} | ||
* @default | ||
*/ | ||
const GRPC_OPTIONS = { | ||
convertFieldsToCamelCase: true, | ||
binaryAsBase64: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does grpc-loader not support this, or is it default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to set bytes: String
in the newer options. Good catch
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to set bytes: String
in the newer options. Good catch
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to set bytes: String
in the newer options. Good catch
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Github is back up
* | ||
* @global | ||
* @constant | ||
* @type {Object} | ||
* @default | ||
*/ | ||
const GRPC_OPTIONS = { | ||
convertFieldsToCamelCase: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does grpc-loader not support this, or is it default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This happens by default. more info here: https://www.npmjs.com/package/@grpc/proto-loader
@treygriffith ive made the change for bytes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
We've received a security notice for lnd-engine that asks us to upgrade grpc to a version > 1.12.x. This PR updates grpc to latest to relieve this notice.
Vulnerability: our current version of node-grpc depends on protobufjs < 5.0.3 which has a DoS security issue. The security issue is a RegEx DoS attack where the evaluation of a certain string takes a long amount of time (and can effectively jam the process using protobufjs)
More info on ReDos: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
Fix in protobufjs protobufjs/protobuf.js#1030
https://www.npmjs.com/advisories/605