Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need to update jsprim due to vulnerability in json-schema #123

Closed
WilliamHolmes opened this issue Nov 15, 2021 · 3 comments
Closed

Need to update jsprim due to vulnerability in json-schema #123

WilliamHolmes opened this issue Nov 15, 2021 · 3 comments

Comments

@WilliamHolmes
Copy link

json-schema has a vulnerability which is included in older versions of jsprim.

jsprim is currently as 2.0.1
@BruceHaley BruceHaley mentioned this issue Nov 16, 2021
Closed
@bahamat
Copy link
Member

bahamat commented Nov 17, 2021

I just updated jsprim to 2.0.2 a few minutes ago to address this in that package.

Testing of http-signature on node 0.10 with jsprim updated to 2.0.2:

diff --git a/package.json b/package.json
index 42500ab..c278e85 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "http-signature",
   "description": "Reference implementation of Joyent's HTTP Signature scheme.",
-  "version": "1.3.5",
+  "version": "1.3.6",
   "license": "MIT",
   "author": "Joyent, Inc",
   "contributors": [
@@ -31,7 +31,7 @@
   },
   "dependencies": {
     "assert-plus": "^1.0.0",
-    "jsprim": "^1.2.2",
+    "jsprim": "^2.0.2",
     "sshpk": "^1.14.1"
   },
   "devDependencies": {
[root@node-tester ~/src/node-http-signature]# make test
npm install
TAP=1 ./node_modules/.bin/tap test/*.test.js
TAP version 13
# convert.test.js
# TAP version 13
# 1024b pem to rsa ssh key
ok 1 should be equal
# 2048b pem to rsa ssh key
ok 2 should be equal
# 4096b pem to rsa ssh key
ok 3 should be equal
# 1024b rsa ssh key
ok 4 should be equal
# 2048b rsa ssh key
ok 5 should be equal
# 4096b rsa ssh key
ok 6 should be equal
# 1024b dsa ssh key
ok 7 should be equal
# fingerprint
ok 8 should be equal
# tests 8
# pass  8
# ok
ok 9 test/convert.test.js

# examples.test.js
# TAP version 13
# read in doc
# find keys and examples
# tests 0
# ok
ok 10 test/examples.test.js

# header.test.js
# TAP version 13
# setup
ok 11 (unnamed assert)
# > Signature keyId="unit",algorithm="rsa-sha256",headers="date request-line content-length",signature="oSwbRe6Ed78lu3xKah7ZK/T5K9DdM4dtGs7TA7lCzhqqoIf8xKiwGIR7BkjUb07xs9NhmGpWCAPd9yBC6b7lURLqemOiIjBvT8f3vtj54/vpLcrQl2rgGcjggDXpfGE3CzA28y0rcXIer6gkCvwjT/KL+Eu+f3zuHZexiHntjTE="
# header with 0 value
ok 12 (unnamed assert)
ok 13 (unnamed assert)
# > Signature keyId="unit",algorithm="rsa-sha256",headers="date x-foo",signature="eJqjL3xGQaHZ+lrICae+qolAZio3fT1jk1DPU1HLu6DSZPiPaDEaEu6E4Kst2v+dMwZ99JJss4RcWC3czxn56/sg/DNRhw4ZZPqtp06Y0K/wmpV4FAxkdlCc0HLU+kSC95uUki6FJE7Q8sNo837xNNbHohrGOu/Mddn4klW6qWM="
# header with boolean-mungable value
ok 14 (unnamed assert)
ok 15 (unnamed assert)
# tear down
# tests 5
# pass  5
# ok
ok 16 test/header.test.js

# parser.test.js
# TAP version 13
# setup
# no authorization
ok 17 should be equal
ok 18 should be equal
# bad scheme
ok 19 should be equal
ok 20 should be equal
ok 21 should be equal
# no key id
ok 22 should be equal
ok 23 should be equal
ok 24 should be equal
# key id no value
ok 25 should be equal
ok 26 should be equal
ok 27 should be equal
# key id no quotes
ok 28 should be equal
ok 29 should be equal
ok 30 should be equal
# key id param quotes
ok 31 should be equal
ok 32 should be equal
ok 33 should be equal
# param name with space
ok 34 should be equal
ok 35 should be equal
ok 36 should be equal
# no algorithm
ok 37 should be equal
ok 38 should be equal
ok 39 should be equal
# algorithm no value
ok 40 should be equal
ok 41 should be equal
ok 42 should be equal
# no signature
ok 43 should be equal
ok 44 should be equal
ok 45 should be equal
# invalid algorithm
ok 46 should be equal
ok 47 should be equal
ok 48 should be equal
# no date header
ok 49 should be equal
ok 50 should be equal
ok 51 should be equal
# valid numeric parameter
ok 52 should be equal
# invalid numeric parameter
ok 53 should be equal
ok 54 should be equal
ok 55 should be equal
# invalid numeric parameter - decimal
ok 56 should be equal
ok 57 should be equal
ok 58 should be equal
# invalid numeric parameter - signed integer
ok 59 should be equal
ok 60 should be equal
ok 61 should be equal
# created in future
ok 62 should be equal
ok 63 should be similar
ok 64 should be equal
# expires expired
ok 65 should be equal
ok 66 should be similar
ok 67 should be equal
# valid created and expires with skew
ok 68 should be equal
# valid default headers
ok 69 should be equal
# valid custom authorizationHeaderName
ok 70 should be equal
# explicit headers missing
ok 71 should be equal
# {
# }
# valid explicit headers request-line
ok 72 should be equal
ok 73 (unnamed assert)
ok 74 should be equal
ok 75 (unnamed assert)
ok 76 should be equal
ok 77 should be equal
ok 78 should be equal
ok 79 (unnamed assert)
ok 80 should be equal
ok 81 should be equal
ok 82 should be equal
ok 83 should be equal
ok 84 should be equal
ok 85 (unnamed assert)
ok 86 should be equal
ok 87 should be equal
ok 88 should be equal
# valid explicit headers request-line strict true
ok 89 should be equal
ok 90 should be equal
ok 91 should be equal
# {
# }
# valid explicit headers request-target
ok 92 should be equal
ok 93 (unnamed assert)
ok 94 should be equal
ok 95 (unnamed assert)
ok 96 should be equal
ok 97 should be equal
ok 98 should be equal
ok 99 (unnamed assert)
ok 100 should be equal
ok 101 should be equal
ok 102 should be equal
ok 103 should be equal
ok 104 should be equal
ok 105 (unnamed assert)
ok 106 should be equal
ok 107 should be equal
ok 108 should be equal
# expired
ok 109 should be equal
# missing required header
ok 110 should be equal
ok 111 should be equal
ok 112 should be equal
# valid mixed case headers
ok 113 should be equal
# not whitelisted algorithm
ok 114 should be equal
ok 115 should be equal
ok 116 should be equal
# tearDown
# tests 100
# pass  100
# ok
ok 117 test/parser.test.js

# signer.test.js
# TAP version 13
# setup
ok 118 (unnamed assert)
ok 119 (unnamed assert)
ok 120 (unnamed assert)
ok 121 (unnamed assert)
# > Signature keyId="unitTest",algorithm="rsa-sha256",signature="PgmDcqnyvGMCBUjcj6UfJuKMoHecXH/+okqSVpjJW8TujArAE6AXQuS8v323+9Uxm7wzhnj+eHW8emgG8ehxi+bQqBXArBoOeyEylx8F16dqjhdxGN798PcUjpqHI1XlHiVacf2xhJzwhs6HUeUz0ef1z81IagOkdIolqauXuRI="
# defaults
ok 122 (unnamed assert)
ok 123 (unnamed assert)
ok 124 should be equal
ok 125 (unnamed assert)
ok 126 (unnamed assert)
# > Signature keyId="unitTest",algorithm="rsa-sha256",signature="PgmDcqnyvGMCBUjcj6UfJuKMoHecXH/+okqSVpjJW8TujArAE6AXQuS8v323+9Uxm7wzhnj+eHW8emgG8ehxi+bQqBXArBoOeyEylx8F16dqjhdxGN798PcUjpqHI1XlHiVacf2xhJzwhs6HUeUz0ef1z81IagOkdIolqauXuRI="
# with custom authorizationHeaderName
ok 127 (unnamed assert)
ok 128 (unnamed assert)
ok 129 should be equal
ok 130 (unnamed assert)
ok 131 (unnamed assert)
# > Signature keyId="unit",algorithm="rsa-sha256",headers="date request-line",signature="gAsWbHHP+0XdUBGXLZMXmGjpbfvLmzxjBgGz56ZbAErJltQz0tpDZmaIrKtFSGhPU8mbA9Q+TMcuH0V7yj9rnFyusA+XJRUiYcYhnHY9vx/622J8vrKPR6XPn9rReCDfoGr4vSnHE1pKDMdw3G5mNaENAakSfil1Eu/Z8GROtq8="
# request line strict unspecified
ok 132 (unnamed assert)
ok 133 (unnamed assert)
ok 134 should be equal
ok 135 (unnamed assert)
# > Signature keyId="unit",algorithm="rsa-sha256",headers="date request-line",signature="gAsWbHHP+0XdUBGXLZMXmGjpbfvLmzxjBgGz56ZbAErJltQz0tpDZmaIrKtFSGhPU8mbA9Q+TMcuH0V7yj9rnFyusA+XJRUiYcYhnHY9vx/622J8vrKPR6XPn9rReCDfoGr4vSnHE1pKDMdw3G5mNaENAakSfil1Eu/Z8GROtq8="
# request line strict false
ok 136 (unnamed assert)
ok 137 (unnamed assert)
ok 138 (unnamed assert)
ok 139 (unnamed assert)
# request line strict true
ok 140 Expected to throw
# > Signature keyId="unit",algorithm="rsa-sha256",headers="date (request-target)",signature="Rddbzx9JiPHGKiklsampIu5Ggc+Rs6vp3JWtZVTb8OqaMpkNTSKCQX0bWpqGoZvq1frrWT9DYBYFabCTJhrGqGX0R2io4pn007SwkPvMG8L5akdduFqQD726Hc7Nkuyaw4cbABDJoMTbbLP88pr8h6XdCaDNERINP6J8smUsy/Q="
# request target
ok 141 (unnamed assert)
ok 142 (unnamed assert)
ok 143 should be equal
ok 144 (unnamed assert)
# > Signature keyId="unit",algorithm="rsa-sha256",headers="date (keyid)",signature="O6s9ES35zfqg7MrdZwjN/qcXQUr5zLsN5vpCjIGI557mhu9qzdwX3PJtCNCaCZzkJJEA2tayUrpW91nUwDRaWGTipWqfDtRum6Tx/xlw6nUZygDqJ8yXntSc619zfBZOdlrLmP8xwy7PFs/w9ivqL1DrjxS9LaqGZGGji2cez8s="
# keyid
ok 145 (unnamed assert)
ok 146 (unnamed assert)
ok 147 should be equal
ok 148 (unnamed assert)
# > Signature keyId="unit",algorithm="rsa-sha256",headers="date (algorithm)",signature="rhjNmRxDYmx0OnbhsdCS8afhuvkZ7GSRKZ5J8MUC/+RQFALw1u+b/IuvAKFLfboRiOX6WKwEHRuCxA7Ve7zophJ7PTZ5kvedNY6sYISQhvfgLiN7Niw5NzlEKf/foC7lvfgCkFj0du0lWiGC1OTsPisXnfZaItEicCb1r2kOflw="
# signing algorithm
ok 149 (unnamed assert)
ok 150 (unnamed assert)
ok 151 should be equal
ok 152 should be equal
ok 153 should be equal
ok 154 (unnamed assert)
# > Signature keyId="unit",algorithm="rsa-sha256",headers="date (algorithm)",signature="rhjNmRxDYmx0OnbhsdCS8afhuvkZ7GSRKZ5J8MUC/+RQFALw1u+b/IuvAKFLfboRiOX6WKwEHRuCxA7Ve7zophJ7PTZ5kvedNY6sYISQhvfgLiN7Niw5NzlEKf/foC7lvfgCkFj0du0lWiGC1OTsPisXnfZaItEicCb1r2kOflw="
# signing with unspecified algorithm
ok 155 (unnamed assert)
ok 156 (unnamed assert)
ok 157 should be equal
ok 158 should be equal
ok 159 (unnamed assert)
# > Signature keyId="unit",algorithm="rsa-sha256",opaque="opaque",headers="date (opaque)",signature="bvICmKJgnB6kciRWSWEsygBGmf5m6PIwZahBpghq87Ivat2g4P1et5ZvkKO7+7M+cBKG6cpX6gWBtJ75HU+Ca4tkRzDky6vrFIROlBlju5zELr7tLj1Z6FY21TBxuh+Jx23h+YbzIL7vjJWI9gb5ghmxkmvk3ojJf2aLpQTIHho="
# signing opaque param
ok 160 (unnamed assert)
ok 161 (unnamed assert)
ok 162 should be equal
ok 163 should be equal
ok 164 (unnamed assert)
# > Signature keyId="unit",algorithm="rsa-sha256",headers="date (algorithm)",signature="ROMt51x1aZqlTpyAlfy1xb9jcRrmyRpPYolbGAmZk8l7wpC6eSc4x0OpmPp1ZvsPRm5S6zLm9DufL1Ey3yApVGbBogHZWGwgRvfMIc6lWR7+U9WMTLRFallIq9YoFqBNfY2yTfA9vaEx+Ew7+Ai2lmJrLpaP/3YuRjZMII88zoY="
# signing with key protected with passphrase
ok 165 (unnamed assert)
ok 166 (unnamed assert)
ok 167 should be equal
ok 168 should be equal
ok 169 (unnamed assert)
# > Signature keyId="unit",algorithm="dsa-sha1",headers="date (request-target)",signature="MCwCFFG37hj+0QXdsRNrxcfUB4y5mrsZAhRLeEKhZlJ3atgV+tQ/pS8gqJ2zaA=="
# request-target with dsa key
ok 170 (unnamed assert)
ok 171 (unnamed assert)
# > Signature keyId="unit",algorithm="ecdsa-sha256",headers="date (request-target)",signature="MEQCIHUaCooOElk1ChatOOfcbMZWrKVcAys13k3dXIrJBRQMAiAoDFUefFrMDRtJszA6f9OQoapFaz8IW//kMoGxF0IXkw=="
# request-target with ecdsa key
ok 172 (unnamed assert)
ok 173 (unnamed assert)
# > Signature keyId="unit",algorithm="hmac-sha1",signature="i0+OKV5oXxsb6hZlxL0+8ZDaCRc="
# hmac
ok 174 (unnamed assert)
ok 175 (unnamed assert)
# > Signature keyId="foo",algorithm="rsa-sha1",headers="(request-target) date",signature="Cs9jW5ivjocnWnnw4E6td/9RxMokP8qDSXvF4/XFOU1OSurwzr0DOYxBldq4ijXylNMwCCmdUvJJtZcUFpxeWsLZ51lGD3rATp6sSyeDrkoYeZBD1MVQg1ypV311Mt+Xa8ucjNuC0/u/S0SOD3YEO9swRUbiYR9IktnEPlmMTPs="
# createSigner with RSA key
ok 176 (unnamed assert)
# createSigner with RSA key, auto algo
ok 177 (unnamed assert)
# createSigner with RSA key, auto algo, passphrase
ok 178 (unnamed assert)
# createSigner with HMAC key
ok 179 (unnamed assert)
# createSigner with sign function
ok 180 (unnamed assert)
ok 181 (unnamed assert)
ok 182 should be equal
ok 183 (unnamed assert)
ok 184 (unnamed assert)
# tear down
# tests 67
# pass  67
# ok
ok 185 test/signer.test.js

# verify.test.js
# TAP version 13
# setup
ok 186 (unnamed assert)
ok 187 (unnamed assert)
ok 188 (unnamed assert)
ok 189 (unnamed assert)
ok 190 (unnamed assert)
ok 191 (unnamed assert)
# invalid hmac
ok 192 (unnamed assert)
ok 193 should be equal
# valid hmac
ok 194 (unnamed assert)
ok 195 should be equal
# invalid raw hmac
ok 196 (unnamed assert)
ok 197 should be equal
# valid raw hmac
ok 198 (unnamed assert)
ok 199 should be equal
# invalid rsa
ok 200 (unnamed assert)
ok 201 should be equal
# valid rsa
ok 202 (unnamed assert)
ok 203 should be equal
# invalid dsa
ok 204 (unnamed assert)
ok 205 should be equal
# valid dsa
ok 206 (unnamed assert)
ok 207 should be equal
# invalid ecdsa
ok 208 (unnamed assert)
ok 209 should be equal
# valid ecdsa
ok 210 (unnamed assert)
ok 211 should be equal
# invalid date
ok 212 Expected to throw
ok 213 should be equal
# valid rsa from spec default
ok 214 (unnamed assert)
ok 215 (unnamed assert)
ok 216 should be equal
# valid rsa from spec default
ok 217 (unnamed assert)
ok 218 (unnamed assert)
ok 219 should be equal
# valid rsa from spec all headers
ok 220 (unnamed assert)
ok 221 (unnamed assert)
ok 222 should be equal
# valid rsa from spec all headers (request-target)
ok 223 (unnamed assert)
ok 224 (unnamed assert)
ok 225 should be equal
# tear down
# tests 40
# pass  40
# ok
ok 226 test/verify.test.js


1..226
# tests 226
# pass  226

# ok

@bahamat bahamat changed the title Need to update jsprim due to vulnerability in its sub package Need to update jsprim due to vulnerability in json-schema Nov 17, 2021
bahamat added a commit that referenced this issue Nov 17, 2021
@bahamat
#123 Need to update jsprim due to vulnerability in json-schema
44a4efe
@bahamat bahamat mentioned this issue Nov 17, 2021
Merged
bahamat added a commit that referenced this issue Nov 17, 2021
@bahamat
#123 Need to update jsprim due to vulnerability in json-schema (#125)
391fbe4 
Reviewed by: BruceHaley <v-brucehaley@microsoft.com>
Reviewed by: Dan McDonald <danmcd@kebe.com>
@bahamat
Copy link
Member

bahamat commented Nov 17, 2021

Fixed in 391fbe4 (#125)

@bahamat bahamat closed this as completed Nov 17, 2021
@snyk-bot snyk-bot mentioned this issue Nov 17, 2021
Open
@snyamathi
Copy link

@bahamat I know this an oddball request, but if it's possible to backport this patch to ~1.2.x that would allow anyone using request to pick up this fix as well.

I know that request is deprecated, but it's still very popular with ~17 million weekly downloads.

Ideally request would have specified ^1.2.0, but they have ~1.2.0 which means that this fix is out of range.

I certainly wouldn't blame you for not wanting to backport this, but a whole lot of people on the internet would appreciate you for it :)

This was referenced Nov 18, 2021
Open
Open
leoschweizer pushed a commit to fjuul/node-http-signature that referenced this issue Nov 19, 2021
@prOttonicFusion @bahamat
TritonDataCenter#123 Need to update jsprim due to vulnerability in js…
ca374ad 
…on-schema (TritonDataCenter#125) (#5)

Reviewed by: BruceHaley <v-brucehaley@microsoft.com>
Reviewed by: Dan McDonald <danmcd@kebe.com>

Co-authored-by: Brian Bennett <brian.bennett@joyent.com>
@pzrq pzrq mentioned this issue Nov 22, 2021
Closed
@felix-hcl felix-hcl mentioned this issue Dec 3, 2021
Closed
@snyk-bot snyk-bot mentioned this issue Dec 21, 2021
Open
@snyk-bot snyk-bot mentioned this issue Jan 13, 2022
Open
This was referenced Feb 18, 2022
Open
Closed
@snyk-bot snyk-bot mentioned this issue Mar 9, 2022
Closed
@snyk-bot snyk-bot mentioned this issue Apr 5, 2022
Open
@ztothez ztothez mentioned this issue Apr 21, 2022
Merged
@snyk-bot snyk-bot mentioned this issue Jul 24, 2022
Open
@pratapadi pratapadi mentioned this issue Aug 11, 2022
Open
@orfattal orfattal mentioned this issue Aug 30, 2022
Closed
@snyk-bot snyk-bot mentioned this issue Sep 5, 2022
Open
@snyk-bot snyk-bot mentioned this issue Nov 21, 2022
Open
This was referenced Jan 17, 2023
Merged
Open
@snyk-bot snyk-bot mentioned this issue Feb 7, 2023
Open
@thierry-laval thierry-laval mentioned this issue Mar 3, 2023
Open
@snyk-bot snyk-bot mentioned this issue Mar 20, 2023
Open
@tracer755 tracer755 mentioned this issue Jun 2, 2023
Closed
@snyk-bot snyk-bot mentioned this issue Jun 5, 2023
Open
@Woodpile37 Woodpile37 mentioned this issue Aug 22, 2023
Merged
@mohamedatef78 mohamedatef78 mentioned this issue Sep 4, 2023
Open
@godofgeeks23 godofgeeks23 mentioned this issue Sep 5, 2023
Open
@junior junior mentioned this issue Sep 19, 2023
Closed
@junior junior mentioned this issue Jan 28, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@snyamathi @bahamat @WilliamHolmes