Security Issue

Question

Security Issue

allanice001 opened this issue 3 years ago · 18 comments

Issues with no direct upgrade or patch:
✗ XML External Entity (XXE) Injection [Medium Severity][https://snyk.io/vuln/SNYK-JS-XMLDOM-1084960] in xmldom@0.1.31
introduced by passport-twitter@1.0.4 > xtraverse@0.1.0 > xmldom@0.1.31
This issue was fixed in versions: 0.5.0

Any chance of upgrading the xmldom dependency?

Answer 1 · 2021-05-20T16:02:11.000Z

The fix need to append on xtraverse first, see PR:
jaredhanson/node-xtraverse#1

Answer 2 · 2021-09-05T18:06:07.000Z

The fix need to append on xtraverse first, see PR:
jaredhanson/node-xtraverse#1

This lib looks to have last been updated 8 years ago. Perhaps it needs to be forked, or is there any other way to fix this issue here?

Answer 3 · 2021-09-17T01:15:55.000Z

I've done the needful - https://www.npmjs.com/package/xtraverse1

Answer 4 · 2021-09-17T09:03:29.000Z

Thank you @allanice001

Answer 5 · 2021-11-11T14:20:45.000Z

@jaredhanson I know you're around now, you committed to this repo yesterday 😸

Can you merge jaredhanson/node-xtraverse#1 now? 🙏

Answer 6 · 2022-01-16T20:32:25.000Z

Hello, any news on this matter? I implemented "passport-twitter": "^1.0.4", today and discover that it Depends on vulnerable versions of xmldom. Is it a package people use in production or is there another package somewhere to be used? Thanks!

Answer 7 · 2022-01-16T22:23:21.000Z

Hello, any news on this matter? I implemented "passport-twitter": "^1.0.4", today and discover that it Depends on vulnerable versions of xmldom. Is it a package people use in production or is there another package somewhere to be used? Thanks!

If you take the time to understand the previous comments in this issue you should understand that the fix is in the way. And asking for an alternative package instead of helping the maintainer to update is not the right way to help an open source librairie in my POV. So be patiente is the best course of action if you are not knowledgeable .

Answer 8 · 2022-01-17T15:05:21.000Z

I love OSS, but this issue has been going on for over 6 months, without the current maintainer @jaredhanson taking note of this issue., so in all respect @hthetiot - please advise an alternative - the PRs are done, and unless there are more maintainers to the package, there really is no way forward.

Answer 9 · 2022-03-14T08:08:55.000Z

Ref:

jaredhanson/node-xtraverse/pull/2

Answer 10 · 2022-11-03T17:08:55.000Z

Any updates on this issue please ?

Answer 11 · 2022-11-03T20:56:09.000Z

I've done the needful - https://www.npmjs.com/package/xtraverse1

still no feedback from the original maintainer @jaredhanson

Answer 12 · 2022-11-05T12:18:29.000Z

Good day, is there an alternative package to use? Seems that the maintainer is unresponsive for a very long time.

Answer 13 · 2022-11-05T13:52:49.000Z

Alright everyone,
I've cloned the two repositories and started their own lifecycle at passportjs
I've also created a npm org @passport-js

Right now, you're more than welcome to look at using @passport-js/passport-twitter as a replacement dependency, which consumes the patched traverse package - @passport-js/xtraverse

Answer 14 · 2022-11-05T14:59:26.000Z

@allanice001 are you part of the passport.js organization?

Answer 15 · 2022-11-05T16:12:56.000Z

@julianlam
I am a tenured developer and security professional with over 20 years of experience.
the repository owner has not responded to what is IMHO a critical bug in over a year, and everyone here is just pinging a dead thread.

as @dmitrizzle suggested here: #107 (comment)

What I have done is exactly that. clone the repository, and create the new lifecycles. Something it seems like no one else wanted to do.

The GitHub and npm organizations I mentioned are created by myself at the minute, and would love to have maintainers join. I'd be happy to continue this conversation offline or on a different platform

Answer 16 · 2022-11-05T16:34:39.000Z

@allanice001 thanks for responding, I only raise the concern due to concerns over the software supply chain. It was not meant as an attack on your person 🙂

I was just surprised that you elected to use the passportjs name instead of your own personal fork.

Answer 17 · 2022-11-05T16:40:04.000Z

no worries - the intention is that a community can be built to support it, with multiple leaders, instead of just a single person, and that's what led to my decision not to point to a personal fork.

In the same breath, what happens when I don't respond to security concerns or concerns regarding the maintenance of the packages or other issues that are bound to happen in the future? How does open source survive if it's just one person?

In no way am I trying to nullify what Jared has started, but more looking at a way to improve the status quo for everyone

Answer 18 · 2022-11-23T23:18:33.000Z

Thank you @allanice001, I was hoping to avoid fork and motivate the maintainer, I was going to fork myself in the end and re-publish on npm, having it under @passportjs umbrella is even better.

Let all move on to https://www.npmjs.com/package/@passport-js/passport-twitter

Cold case close for me.