fix: critical and medium vulnerabilities reported by snyk

[ayeletdasa]

Description

Snyk security scan reports that class-validator has critical and medium vulnerabilities related Cross-site Scripting and SQL Injection and dependency out-of-date (respectfully)

Minimal code-snippet showcasing the problem
https://snyk.io/vuln/npm:class-validator

The medium vulnerability related to dependency out-of-date can be fixed easily by upgrading the validation dependency to 13.7.0 version.

Expected behavior

Library should not have security vulnerabilities.

Actual behavior

Critical and medium vulnerabilities were found.

[az67128]

Is there any plans to fix it?

[shaunek]

I've been lurking around this repo for a couple months because my security tool (snyk) keeps on bugging me about different vulnerabilities in this package, and my assessment is that the repo is in limbo. There have been no non-dependabot commits since Jan '21 and I'm not seeing any maintainers actively responding to issues. I'm starting to consider utilizing a different library.

I just noticed that the Nestjs guys were worried enough about this that they forked this repo and they seem to have their dependencies up-to-date. I'm not necessarily suggesting anyone switch to a fork but it might be something to consider looking at https://www.npmjs.com/package/@nestjs/class-validator

[IanMoroney]

For anyone interested in resolving this issue, change to the recently forked (and patched) @nestjs/class-validator package.

"@nestjs/class-validator": "^0.13.3"

Update your import references too, and you should be good to go 👍

[shaunek]

I have moved over to using the @nestjs/class-validator but users of nestjs should be aware that if you are using class-validator simply because it is a nestjs peerDependency (and you need to use ValidationPipe or something), simply replacing class-validator with @nestjs/class-validator won't work by itself. See nestjs/nest#8562

[braaar]

Closing this. Let's track this in #1422

[NoNameProvided]

Hi all!

Sorry for the long overdue update, I would like to chime in to clarify a few things.

First of all, as mentioned before in other threads the reported issue is not a security vulnerability in the sense that you can defend against it by specifying the forbidUnknownValues: true option.

I still think this was opened by mistake and it's the same as if I would open a vulnerability report on NodeJS saying "if I turn off the server the NodeJS application crashes". The valid (and fixed) problem was in the class-transformer package that I fixed in a rather speedy manner in under 10 days from disclosure. (The fastest fix from the 3 affected packages.) That issue was properly reported privately to me with a pentest report explaining the attack vector.

A second problem is that for this vulnerability I was never provided a reproducible test case officially, saying: this is what failing and needs to be fixed. The closest to an official example is from the issue in this repository that is linked in the security reports: #438. Running that example code shows the issue is fixed for almost a year now.

Code snippet from #438

import { validate, IsInt, Length, IsEmail, IsFQDN, IsDate, Min, Max } from "class-validator"; 
import { plainToClass } from "class-transformer";

class Post {
  @Length(10, 20) 
  title: string; 
  
  @IsInt() 
  @Min(0) 
  @Max(10) 
  rating: number; 
  
  @IsEmail() 
  email: string; 
  
  @IsFQDN() 
  site: string; 
  
  @IsDate() 
  createDate: Date;
}

let userJson = JSON.parse('{"title":1233, "proto":{}}'); // a malformed input 
let users = plainToClass(Post, userJson);

validate(users, { forbidUnknownValues: true }).then(errors => { // errors is an array of validation errors 
  if (errors.length > 0) { 
    console.log("validation failed. errors: ", errors); 
  } else { 
    console.log("validation succeed"); 
  } 
});

This code fails with validation errors as expected.

So you may ask why the security advisory is still open? That's the million-dollar question, and the answer is that when you try to write to someone they will redirect to someone else who will redirect to someone else who will redirect to the first org. It's a circle and everybody says: "sorry I just source my data from someone else", I cannot do anything for you.

Another contributor tried to write to them, and I have tried to write to them. No success.

The mistake I made was that after a while I stopped trying. I knew the issue don't exist so I am using it without worrying, but I see how an open critical advisory is scary for others.

To sum up my plan for going at it again:

• I will flip the default settings for forbidUnknownValues and make a release so there is literally zero ground to say this is a vulnerability
• I will try to contact the SNYK and other organizations again to tell them the issue is not present
• I will repeat step two until someone actually can update the security advisory

Also, it is worth noting that the other package under the NestJS org doesn't fix any issues. The security warning is not present there because it has a different name, not because the "problem is fixed".

PS: As @braaar mentioned, this is tracked in another issue now, please subscribe to that for future changes.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.