Update npm packages

Question

Update npm packages

Closed this issue 8 years ago · 5 comments

If the following packages are being used in prod, please update or upgrade them.

Regular Expression Denial of Service

High severity
Vulnerable module: negotiator
Introduced through: gulp-connect@5.0.0
Fix this vulnerability
Detailed paths

Introduced through: consumer-credit-trends@cfpb/consumer-credit-trends#59bebeb7fbcc8d3abf6e5340387c6bee4574db9e › gulp-connect@5.0.0 › connect@2.30.2 › compression@1.5.2 › accepts@1.2.13 › negotiator@0.5.3
Introduced through: consumer-credit-trends@cfpb/consumer-credit-trends#59bebeb7fbcc8d3abf6e5340387c6bee4574db9e › gulp-connect@5.0.0 › connect@2.30.2 › serve-index@1.7.3 › accepts@1.2.13 › negotiator@0.5.3
Overview

negotiator is an HTTP content negotiator for Node.js. Versions prior to 0.6.1 are vulnerable to Regular expression Denial of Service (ReDoS) attack when parsing "Accept-Language" http header.

An attacker can provide a long value in the Accept-Language header, which nearly matches the pattern being matched. This will cause the regular expression matching to take a long time, all the while occupying the thread and preventing it from processing other requests. By repeatedly sending multiple such requests, the attacker can make the server unavailable (a Denial of Service attack).

Cross-site Scripting (XSS)

Medium severity
Vulnerable module: jquery
Introduced through: cf-expandables@3.1.0 and cf-tables@1.1.0
Fix this vulnerability
Detailed paths

Introduced through: consumer-credit-trends@cfpb/consumer-credit-trends#59bebeb7fbcc8d3abf6e5340387c6bee4574db9e › cf-expandables@3.1.0 › jquery@1.11.3
Introduced through: consumer-credit-trends@cfpb/consumer-credit-trends#59bebeb7fbcc8d3abf6e5340387c6bee4574db9e › cf-tables@1.1.0 › jquery@1.11.3
Overview

jquery is JavaScript library for DOM operations.

Affected versions of the package are vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain ajax request is performed without the dataType option causing text/javascript responses to be executed.

Answer 1 · 2016-12-12T16:12:01.000Z

Thank you for drawing our attention to this, @lfatty!

We'll add a task for this to our internal project board, and correct this (and any other vulnerabilities we find) through a pull request today or tomorrow.

Answer 2 · 2016-12-12T17:49:58.000Z

This problem is partially addressed through the following pull request: #13

Answer 3 · 2016-12-13T22:40:18.000Z

@marteki what else is left to be done for this?

Answer 4 · 2016-12-13T22:53:08.000Z

I retested it and all is looking great which means that there is no high or critical issue. It should be noted that the version of jquery has a medium finding which we discussed here. GHE/CFGOV/platform/issues/488

Answer 5 · 2016-12-14T00:53:37.000Z

Thanks, @lfatty! The PR I submitted (#13) changed our direct dependency version of jQuery to v1.12.x, which doesn't have the linked vulnerability.

I believe that our org's front-end developers are discussing how to address the cf-expandables and cf-tables vulnerabilities, as I called it out to them and filed an issue on the capital-framework repo about it.

I think that we've done everything we can/need to do in this repo for this. Thanks again for the scan and the followup comment, Lamin! I'm closing this issue as resolved.