Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] CVE-2021-27290 due to using old version of ssri #388

Closed
candrews opened this issue Mar 18, 2021 · 13 comments
Closed

[BUG] CVE-2021-27290 due to using old version of ssri #388

candrews opened this issue Mar 18, 2021 · 13 comments

Comments

@candrews
Copy link

CVE-2021-27290

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

The fix is to bump ssri to 8.0.1.

  • Operating System: all
  • Node Version: all
  • NPM Version: all
  • webpack Version: all
  • terser-webpack-plugin Version: 5.1.1, 4.2.3, 2.3.8, 3.1.0, 1.4.5

Providing an updated release of terser-webpack-plugin version 1.x would be particularly helpful because webpack 4 uses terser-webpack-plugin version 1.x
@candrews
Copy link
Author

terser-webpack-plugin depends on ssri transitively through cacache; requested cacache to update its ssri dependency at npm/cacache#47

@candrews candrews mentioned this issue Mar 18, 2021
Closed
@alexander-akait
Copy link
Member

We don't use ssri package directly, don't know what we should do here

@alexander-akait
Copy link
Member

Also updating is impossible due breaking change, so sorry, we can't fix it, update terser-webpack-plugin to the latest version

@candrews
Copy link
Author

We don't use ssri package directly, don't know what we should do here

Override the ssri dependency version. npm provides the ability to override transitive dependencies.

Or, wait for a new release of cacache and update to use it (in which case, this issue is just a reminder to do that when that release is made available).

@alexander-akait
Copy link
Member

Override the ssri dependency version. npm provides the ability to override transitive dependencies.

No, it is impossible, please read how npm/yarn works

Or, wait for a new release of cacache and update to use it (in which case, this issue is just a reminder to do that when that release is made available).

You need to open an issue in cacache repo

@wheeler
Copy link

wheeler commented Mar 22, 2021

webpack or webpack-contrib could be proactive in supporting users on webpack@4 by bumping direct dependencies to versions that would eliminate the vuln version, as these direct dependency versions already exist. Yes, users on webpack@4 could upgrade to webpack@5 which would resolve the problem by upgrading the terser-webpack-plugin above 1.x. This could be prohibitively costly for users who are still on 4, as the upgrade is a whole project of its own which requires a lot of work and potential changes.

  1. Yes, cacache could release a patch version where the cacache dependency is bumped to ^15.x.x. Unfortunately that repo appears rather quiet - and there are few direct users to help.
  2. terser-webpack-plugin@1.x could release a patch version where the cacache dependency is bumped to ^15.x.x.
  3. webpack@4.x could release a patch version where the terser-webpack-plugin dependency is bumped to ^3.x.x.

Both 2 and 3 would allow users of webpack@4 to resolve the dependency without having to upgrade to webapack@5. Releasing a patch for the non-leading major version can be a pain, but these repos have well tracked releases and tags and it is not out of the question for a major project like webpack to do this to support their users.

How easy it is comes down to understanding the breaking changes, which is not something that the average webpack user would understand. This is why we're asking maintainers in issues in the repos. It might not be possible to make these changes within semver if the terser-webpack-plugin@3 or cacache@15 major version breaking changes would effectively cause breaking changes in webpack@4 or terser-webpack-plugin@1. It would be useful to be a bit more clear why this can't be done since, without knowing the inner details, it looks like patches could be made that would help users.

@dryoma
Copy link

dryoma commented Mar 23, 2021

BTW, cacache v15.0.6 has been released that addresses the issue by bumping the ssri version.

@alexander-akait
Copy link
Member

You can use terser-webpack-plugin v4 (webpak v4 supported), impossible update inside webpack v4 due breaking change, webpack v4 supports Node.js v6 https://github.com/webpack/webpack/blob/v4.46.0/package.json#L96, but cacache v15 requires Node.js v10

@alexander-akait
Copy link
Member

This is why we go away from cacache and migrate on built-in cache

@AndrewGibson27
Copy link

@wheeler I think Option 2 you proposed sounds the best. Would be very grateful to see that happen.

Looks like cacache did get a patch in v15 to get rid of the vulnerable ssri version. Unfortunately, that same patch didn't happen in v12, which is required by 1.x of terser-webpack-plugin. I added a request for that.

@WayneEllery
Copy link

@wheeler I think Option 2 you proposed sounds the best. Would be very grateful to see that happen.

Because Webpack is supported for Node v6 do we actually have any options? ssri dropped support for Node v6 in https://github.com/npm/ssri/blob/latest/CHANGELOG.md#700-2019-09-18. So that means the only option is to backport the security fix in ssri to V6 which is still supported on Node v6

@AndrewGibson27 AndrewGibson27 mentioned this issue Mar 26, 2021
Closed
@nikhilym nikhilym mentioned this issue Mar 26, 2021
Merged
12 tasks
@AndrewGibson27
Copy link

AndrewGibson27 commented Mar 26, 2021
edited
Loading

@WayneEllery Such a good point. I opened this issue in the ssri repo to learn more about porting that security fix into v6 of that package. I've got a forked branch going that I hope could become a 6.0.2 release.

@macfarlandian macfarlandian mentioned this issue Mar 31, 2021
Closed
@ajkl2533 ajkl2533 mentioned this issue Apr 6, 2021
Closed
This was referenced Apr 7, 2021
Closed
Closed
@undergroundwires undergroundwires mentioned this issue Apr 15, 2021
Closed
jooskim added a commit to vmware-archive/transport-typescript that referenced this issue Apr 16, 2021
@jooskim
Bump ssri to 6.0.2
06e7b6e 
References:

webpack-contrib/terser-webpack-plugin#388
npm/ssri#18

Signed-off-by: Josh Kim <kjosh@vmware.com>
@jooskim jooskim mentioned this issue Apr 16, 2021
Merged
jooskim added a commit to vmware-archive/transport-typescript that referenced this issue Apr 16, 2021
@jooskim
Bump ssri to 6.0.2 (#35)
4dc8bcc 
References:

webpack-contrib/terser-webpack-plugin#388
npm/ssri#18

Signed-off-by: Josh Kim <kjosh@vmware.com>
@alexander-akait alexander-akait mentioned this issue Apr 20, 2021
Closed
@alexander-akait
Copy link
Member

Fixed https://github.com/npm/ssri/blob/v6/CHANGELOG.md#602-2021-04-07

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@candrews @WayneEllery @AndrewGibson27 @alexander-akait @wheeler @dryoma