Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Man In the Middle vulnerability #78

Closed
medikoo opened this issue Oct 4, 2019 · 12 comments · Fixed by #77
Closed

Man In the Middle vulnerability #78

medikoo opened this issue Oct 4, 2019 · 12 comments · Fixed by #77

Comments

@medikoo
Copy link

medikoo commented Oct 4, 2019

Medium level.

Reported by Snyk: https://app.snyk.io/test/npm/https-proxy-agent/2.2.2
@medikoo medikoo mentioned this issue Oct 4, 2019
Closed
@TooTallNate TooTallNate mentioned this issue Oct 7, 2019
Merged
@kachkaev kachkaev mentioned this issue Oct 7, 2019
Merged
@kachkaev
Copy link

kachkaev commented Oct 7, 2019

@TooTallNate seems like Snyk flags 3.0.0 as vulnerable as well: https://app.snyk.io/test/npm/https-proxy-agent/3.0.0

Do you think it's just a matter of them re-running the audit manually? Or is their report still legit?

@TooTallNate
Copy link
Owner

I think something needs to be updated / reported on their end. Same for the HackerOne report.

@kachkaev
Copy link

kachkaev commented Oct 7, 2019

@lirantal could you please help us here? 🙏

@lirantal
Copy link

lirantal commented Oct 7, 2019

FYI that Snyk has public patches that can be applied if needed: https://app.snyk.io/vuln/SNYK-JS-HTTPSPROXYAGENT-469131 and the Snyk tooling helps with applying these patches when no upgrade path is available.

Looks like @TooTallNate had only commented on the HackerOne report with a fix some 20 minutes ago so this is all fairly new. I'll update the Snyk team with this so we can triage and update fix availability as well as thee Node.js Security WG repo too.

@lirantal
Copy link

lirantal commented Oct 7, 2019

We've pushed the update to support 3.0.0 as a fixed version of the module and will be reported as such by Snyk starting tomorrow. Please ping me using the mention tag otherwise and I'll chime in to check what's up.

@benjifin
Copy link

benjifin commented Oct 8, 2019

Hey just a heads up from Snyk's side - we've verified and released the update to support 3.0.0 as the fixed version. Thanks for pulling us in here to let us know about the fix (we do track all unfixed packages for releases, but always helpful when we get a heads up as well!)

@AaronFriel
Copy link

It would be enormously helpful, I think, for downstream consumers to publish a new patch version matching the semver ^2. By bumping the major version at the same time, thousands of reverse dependencies are broken and npm audit fix doesn't resolve the problem for them. This has resulted in, for example, most of the @google-cloud ecosystem of packages being broken (npm audit fails in CI systems and npm audit fix cannot resolve it) as of the time I write this.

@AaronFriel
Copy link

(Just as an aside, bumping the major version is not recommended by anyone as a response to a security vulnerability!)

@AaronFriel
Copy link

See: #84

@lirantal
Copy link

@AaronFriel the Snyk patch is compatible with 2.x:
image

see here for the links and details

@hiendv
Copy link

hiendv commented Oct 22, 2019

@AaronFriel Couldn't agree more. Why bumping a major version for a security fix? Now it cannot be automatically resolved.

@talr1
Copy link

talr1 commented Oct 22, 2019

same issue here, can't use "npm audit fix", which breaks our pipeline
also, version 3.0.0 is not promoted to be latest version

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use an EventEmitter to replay failed proxy connect HTTP requests TooTallNate/proxy-agents
8 participants
@TooTallNate @medikoo @lirantal @kachkaev @AaronFriel @hiendv @talr1 @benjifin