node security: "Downloads Resources over HTTP"

[prymson]

https://nodesecurity.io/advisories/178

libxl provides Node bindings for the libxl library for reading and writing excel (XLS and XLSX) spreadsheets.

libxl downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an attacker controlled zip file if the attacker is on the network or positioned in between the user and the remote server.

No fix is currently available for this vulnerability.

It is our recommendation to not install or use this module at this time.

[DirtyHairy]

• The mentioned download is the SDK that is downloaded from xlware during installation. This is not available via HTTPS, I don't want to mirror it for legal reasons, and I can't pin to a well-known version and check the SHA as xlware removes old downloads on a regular basis.
• If you want to avoid the download, you can set the NODE_LIBXL_SDK_ARCHIVE during installation in order to use a local copy (check the docs for details).

I have reached out to nodesecurity before, and I thought that this issue was solved, but, evidently, it isn't. I'll contact them again, but other than that, there's not much I can do (apart from incuding a note in the docs, which is what I will do if nothings changes on nodesecurity's end).