Page MenuHomePhabricator

Kartotherian ReDoS vulnerability
Closed, ResolvedPublic


npm install of Kartotherian shows
npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing Set-Cookie

The vulnerability is that a specially crafted Set-Cookie can cause the service to block for excessive amounts of time.

I think this comes in from our use of request@2.81.0.

Event Timeline

Pnorman renamed this task from Kartotherian ReDoS vulmurability to Kartotherian ReDoS vulnerability.Sep 18 2017, 6:54 PM
Pnorman added a project: Maps (Kartotherian).
Pnorman updated the task description. (Show Details)

@Pnorman, given that this is related to the request library, do you actually see a way to make the kartotherian service fetch a HTTPS? resource from an attacker-controlled site?

That's a good question, and I'm not sure. The advisory also doesn't say if you have to do anything with the cookies to hit it, or if it'll always happen. tilelive-http would be the likely path in my mind.

I'm not sure why we're pulling in tough-cookie@2.2.2, since request@2.81.0 calls for 2.3.0

While its useful to know if we use the vulnerable function in order to assess severity, regardless of if we actually use the library in a vulnerable way, we should not use dependencies that have known vulnerabilities in them.

debt triaged this task as Medium priority.Sep 19 2017, 7:22 PM
debt added a project: Maps-Sprint.

The currently deployed kartotherian uses tough-cookie v2.3.2, but [also pulls in v2.2.2 as a dependency of tilelive-vector](

@MaxSem, could you look into upgrading tilelive-vector's tough-cookie dependency?

tilelive-vector is a third-party dependency. They've been ignoring for a year already.

The new version of tilelive-vector is actually a kartotherian fork. I might need to revisit it to make sure it all runs smoothly.

We're not currently using the kartotherian fork.

The fix was merged upstream and released in v4.0.0, but we cannot use that version in the short term as it depends on a version of mapnik that doesn't seem to compile in our environment.

I've opened an issue asking them to backport the PR to a version we can use and release a package for it.

If they can't or won't, we can fork right at the version we are using (3.9.4) and apply the PR there.

Catrope changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 27 2018, 6:09 PM
Catrope added a subscriber: Etonkovidova.