Page MenuHomePhabricator
Create Task
Maniphest T309772

npm audit reports several security issues with Service runner
Open, Needs TriagePublicBUG REPORT
Actions

Description

Running npm audit on master version of service-runner reports 10 vulnerabilities (7 high, 3 critical). Since there are many services in WMF infstructure that is written on top of service-runner, these issues affect them too.

Also see T293853: Service-runner depends on preq, a wrapper of request, which is deprecated and T200374: Update indirect dependency on github.com/gwicke/kad.git indicating the requirement for active maintainance of the library.

Following is the log for npm audit as of v5.0.0:

➜  service-runner git:(master) git log --oneline -n1
5c8fac8 (HEAD -> master, tag: v5.0.0, tag: v.5.0.0, origin/master, origin/HEAD) Release v5.0.0

➜  service-runner git:(master) npm audit
# npm audit report

ms  <2.0.0
Severity: moderate
Vercel ms Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-w9mr-4mfr-499f
fix available via `npm audit fix --force`
Will install limitation@0.2.2, which is a breaking change
node_modules/wikimedia-kad-fork/node_modules/ms
  wikimedia-kad-fork  *
  Depends on vulnerable versions of ms
  node_modules/wikimedia-kad-fork
    limitation  >=0.2.3
    Depends on vulnerable versions of wikimedia-kad-fork
    node_modules/limitation

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
No fix available
node_modules/request
  coveralls  *
  Depends on vulnerable versions of request
  node_modules/coveralls
  preq  *
  Depends on vulnerable versions of request
  Depends on vulnerable versions of requestretry
  node_modules/preq
  requestretry  *
  Depends on vulnerable versions of request
  node_modules/requestretry


tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
No fix available
node_modules/tough-cookie

8 vulnerabilities (6 moderate, 2 high)

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Related Objects
Search...

Event Timeline

santhosh created this task.Jun 2 2022, 8:58 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 2 2022, 8:58 AM
KartikMistry added a comment.Jun 2 2022, 11:25 AM

I submitted primary pull requests: https://github.com/wikimedia/service-runner/pull/246 (At least fixes 5 security issues)

Aklapper added a project: CX-cxserver.Jun 5 2022, 6:09 AM
Aklapper removed a subscriber: CX-cxserver.
KartikMistry mentioned this in T332542: Publish service-runner 4.0.0 .Mar 20 2023, 8:57 AM
kostajh subscribed.Jun 22 2023, 10:59 AM

preq has multiple issues stemming from its dependency on request which is deprecated (https://github.com/request/request/issues/3142).

santhosh added a comment.Jun 22 2023, 11:18 AM

As per my current understanding service-runner is not maintained by anybody(glad to be corrected otherwise). And several services are built on top of it. One possible path forward is to find all maintainers of current servicerunner based services and plan fix and review resourcing. I will bring this to the attention of language team.

kostajh added a comment.Jun 22 2023, 11:18 AM
In T309772#8955452, @santhosh wrote:

As per my current understanding service-runner is not maintained by anybody(glad to be corrected otherwise).

Right. On a related note, I just filed T340105: PHP-based alternative to wikimedia/service-template-node

kostajh mentioned this in T338238: Use Gitlab Security Pipeline for ipoid.Jun 26 2023, 7:40 PM
santhosh mentioned this in T350773: Remove preq and use node fetch.Nov 8 2023, 10:49 AM
akosiaris subscribed.Feb 20 2024, 11:59 AM

Which teams are aware for this in the WMF? I see service-runner and Security tagged on the task, but I don't know if further communication efforts have happened. Does anyone know?

This is a high usage library in the WMF, it appearing abandoned is pretty bad and some serious effort to fix it should be made before things like T357950 go forward.

hnowlan subscribed.Feb 20 2024, 12:01 PM
kostajh added a comment.Feb 26 2024, 9:38 AM
In T309772#9558607, @akosiaris wrote:

Which teams are aware for this in the WMF? I see service-runner and Security tagged on the task, but I don't know if further communication efforts have happened. Does anyone know?

This is a high usage library in the WMF, it appearing abandoned is pretty bad and some serious effort to fix it should be made before things like T357950 go forward.

I don't know which teams are formally aware of it, but anyone who has built with service-runner or attempted to update its dependencies lately would know.

I believe the project used to be owned by a previous iteration of the MW Platform team, but not sure (looking at Developers/Maintainers and service-runner description didn't provide any answers).

Ottomata added subscribers: Ahoelzl, Tchanders, gmodena.Feb 27 2024, 1:22 PM
Jdforrester-WMF updated the task description. (Show Details)Mar 5 2024, 5:52 PM
Jdforrester-WMF updated the task description. (Show Details)
Jdforrester-WMF subscribed.
Jdforrester-WMF added a comment.Mar 5 2024, 5:54 PM

I've updated the npm audit output as of v5.0.0 – some are fixed (e.g. ansi-regex, json-schema, minimist), but the key issues Santhosh highlighted for kad and preq remain.

kostajh added a comment.Mar 11 2024, 7:34 AM
In T309772#9602618, @Jdforrester-WMF wrote:

I've updated the npm audit output as of v5.0.0 – some are fixed (e.g. ansi-regex, json-schema, minimist), but the key issues Santhosh highlighted for kad and preq remain.

Can we drop preq in favor of node 18's fetch?

Jdforrester-WMF added a comment.EditedMar 11 2024, 1:27 PM
In T309772#9618928, @kostajh wrote:
In T309772#9602618, @Jdforrester-WMF wrote:

I've updated the npm audit output as of v5.0.0 – some are fixed (e.g. ansi-regex, json-schema, minimist), but the key issues Santhosh highlighted for kad and preq remain.

Can we drop preq in favor of node 18's fetch?

I started that last week, but got into issues and have had to switch focii. I've noted that several services use preq directly, not just upstream's tests, so this will only be a start (e.g. this was my fix for the function-orchestrator.

Mvolz mentioned this in T361602: Remove usage of preq in all services and replace with node fetch; requires node >=18.x.x.Apr 2 2024, 2:52 PM
Mvolz subscribed.
In T309772#9575630, @kostajh wrote:
In T309772#9558607, @akosiaris wrote:

Which teams are aware for this in the WMF? I see service-runner and Security tagged on the task, but I don't know if further communication efforts have happened. Does anyone know?

This is a high usage library in the WMF, it appearing abandoned is pretty bad and some serious effort to fix it should be made before things like T357950 go forward.

I don't know which teams are formally aware of it, but anyone who has built with service-runner or attempted to update its dependencies lately would know.

I believe the project used to be owned by a previous iteration of the MW Platform team, but not sure (looking at Developers/Maintainers and service-runner description didn't provide any answers).

That's basically correct; this used to be owned by the Services team. The services team was shut down and folded into Core Platform team in 2018. That team was then turned into MediaWiki Platform in 2023. The last remaining original Services member left in 2022. I don't know that any of the current MW Platform members are familiar with it.

Mvolz added a project: MediaWiki-Platform-Team.Apr 2 2024, 2:57 PM
akosiaris added a subscriber: Eevans.Apr 2 2024, 3:36 PM
In T309772#9680594, @Mvolz wrote:

The last remaining original Services member left in 2022.

@Eevans is actually still around, having moved to SRE Data Persistence. However, this is mostly irrelevant and changes none of your points.

VPuffetMichel subscribed.Apr 2 2024, 4:33 PM
Mvolz added a subtask: T293853: Service-runner depends on preq, a wrapper of request, which is deprecated .Apr 2 2024, 5:46 PM
Tgr edited projects, added MediaWiki-Engineering; removed MediaWiki-Platform-Team.Apr 5 2024, 6:57 PM
MSantos moved this task from Inbox, needs triage to Radar on the MediaWiki-Engineering board.Apr 10 2024, 12:56 PM
MSantos subscribed.

It's also worth mentioning that we (MediaWiki-Engineering) haven't been able as group to define our role in the "Services Platform" domain due to time/resource constraints. This is in our radar though because it affects services that some of our teams maintain.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL