Page MenuHomePhabricator
Create Task
Maniphest T176168

Kartotherian ReDoS vulnerability
Closed, ResolvedPublic
Actions

Description

npm install of Kartotherian shows
npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130

The vulnerability is that a specially crafted Set-Cookie can cause the service to block for excessive amounts of time.

I think this comes in from our use of request@2.81.0.

Details

SubjectRepoBranchLines +/-
Use forked version of tilelive-vector that includes security fixmaps/tilerator/deploymaster+1 -1
Use forked version of tilelive-vector that includes security fixmaps/kartotherian/deploymaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

Pnorman created this task.Sep 18 2017, 6:54 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 18 2017, 6:54 PM
Pnorman renamed this task from Kartotherian ReDoS vulmurability to Kartotherian ReDoS vulnerability.Sep 18 2017, 6:54 PM
Pnorman added a project: Maps (Kartotherian).
Pnorman updated the task description. (Show Details)
GWicke subscribed.EditedSep 18 2017, 7:04 PM

@Pnorman, given that this is related to the request library, do you actually see a way to make the kartotherian service fetch a HTTPS? resource from an attacker-controlled site?

Pnorman added a comment.Sep 18 2017, 8:06 PM

That's a good question, and I'm not sure. The advisory also doesn't say if you have to do anything with the cookies to hit it, or if it'll always happen. tilelive-http would be the likely path in my mind.

I'm not sure why we're pulling in tough-cookie@2.2.2, since request@2.81.0 calls for 2.3.0

Pnorman added subscribers: Gehel, debt, Yurik.Sep 18 2017, 8:07 PM
Bawolff subscribed.Sep 19 2017, 3:07 PM

While its useful to know if we use the vulnerable function in order to assess severity, regardless of if we actually use the library in a vulnerable way, we should not use dependencies that have known vulnerabilities in them.

debt triaged this task as Medium priority.Sep 19 2017, 7:22 PM
debt added a project: Maps-Sprint.
GWicke added a subscriber: MaxSem.EditedSep 19 2017, 8:16 PM

The currently deployed kartotherian uses tough-cookie v2.3.2, but [also pulls in v2.2.2 as a dependency of tilelive-vector](https://github.com/wikimedia/maps-kartotherian-deploy/blob/master/node_modules/tilelive-vector/node_modules/tough-cookie/package.json#L103).

@MaxSem, could you look into upgrading tilelive-vector's tough-cookie dependency?

MaxSem added a comment.Sep 19 2017, 8:28 PM

tilelive-vector is a third-party dependency. They've been ignoring https://github.com/mapbox/tilelive-vector/issues/138 for a year already.

Yurik added a comment.Sep 19 2017, 9:14 PM

The new version of tilelive-vector is actually a kartotherian fork. I might need to revisit it to make sure it all runs smoothly.

hashar mentioned this in T182564: npm warnings when installing Kartotherian dependencies.Dec 11 2017, 10:39 AM
Catrope claimed this task.Feb 27 2018, 7:24 PM
Catrope added projects: Collaboration-Feature-Rollouts (Collaboration-Maps), Collaboration-Team-Triage (Collab-Team-This-Quarter).
Catrope moved this task from Untriaged to Needs Review on the Collaboration-Team-Triage (Collab-Team-This-Quarter) board.Feb 27 2018, 7:31 PM

https://github.com/kartotherian/tilelive-vector/pull/1

Catrope added a subscriber: SBisson.Mar 1 2018, 7:58 PM
SBisson added a comment.Mar 1 2018, 9:35 PM

We're not currently using the kartotherian fork.

The fix was merged upstream and released in v4.0.0, but we cannot use that version in the short term as it depends on a version of mapnik that doesn't seem to compile in our environment.

I've opened an issue asking them to backport the PR to a version we can use and release a package for it. https://github.com/mapbox/tilelive-vector/issues/151

If they can't or won't, we can fork right at the version we are using (3.9.4) and apply the PR there.

SBisson mentioned this in T187596: Kartotherian should accept (and propagate) a language parameter for tiles.Mar 16 2018, 12:23 PM
SBisson added a comment.Mar 23 2018, 5:26 PM

PR use forked version of tilelive-vector: https://github.com/kartotherian/kartotherian/pull/54
Update kartotherian config: https://gerrit.wikimedia.org/r/421585
Update tilerator config: https://gerrit.wikimedia.org/r/421584

SBisson moved this task from Needs Review to QA Review on the Collaboration-Team-Triage (Collab-Team-This-Quarter) board.Mar 23 2018, 6:22 PM
Catrope changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 27 2018, 6:09 PM
Catrope added a subscriber: Etonkovidova.
Etonkovidova closed this task as Resolved.Mar 29 2018, 8:22 PM

Merged:

Update kartotherian config: https://gerrit.wikimedia.org/r/421585
Update tilerator config: https://gerrit.wikimedia.org/r/421584

https://github.com/mapbox/tilelive-vector/pull/149 - is closed as done.

jmatazzoni mentioned this in Collaboration-Team-Triage (Collab-Team-This-Quarter).Mar 29 2018, 8:41 PM
chasemp added a project: Security.Feb 10 2020, 10:58 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL