Page MenuHomePhabricator
Create Task
Maniphest T245070

stylelint-config-wikimedia has vulnerable dependencies
Closed, ResolvedPublicSecurity
Actions

Description

During the security review for ext:EventStreamConfig, it was discovered with snyk.io's cli that stylelint-config-wikimedia has vulnerable dependencies via stylelint, namely:

  1. dot-prop@4.2.0, Prototype Pollution (medium risk)
  2. kind-of@6.0.2, Information Disclosure (low risk)
    • Introduced by stylelint-config-wikimedia@0.8.0 > stylelint@12.0.0 > global-modules@2.0.0 > global-prefix@3.0.0 > kind-of@6.0.2 and 44 other path(s). This issue was fixed in versions: 6.0.3. See also: https://snyk.io/vuln/SNYK-JS-KINDOF-537849.

The low-severity Vuln-Infoleak for kind-of appears to be resolved within the latest 13.1.0 release of stylelint. The medium-severity prototype pollution vulnerability for dot-prop still exists within the aforementioned 13.1.0 release, so I've filed a security issue with them via github.

Lastly, would it be a good idea to set up a formal security reporting policy for stylelint-config-wikimedia? I believe github is the canonical repo location for this code, correct?

Details

Author Affiliation
WMF Technology Dept

Related Objects

Event Timeline

sbassett created this task.Feb 12 2020, 10:20 PM
Restricted Application added a project: Security. · View Herald TranscriptFeb 12 2020, 10:20 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
sbassett updated the task description. (Show Details)Feb 12 2020, 10:20 PM
sbassett added a subscriber: Reedy.
Volker_E added a comment.Feb 12 2020, 10:27 PM

@sbassett Yes, GitHub is the canonical repo.

Jdforrester-WMF added a project: Release-Engineering-Team-TODO (2020-01 to 2020-03 (Q3)).Feb 12 2020, 11:00 PM

I fixed the second one of these in https://github.com/wikimedia/stylelint-config-wikimedia/pull/110 (pending merge/release).

The first one needs upstream fixes, unfortunately. dot-prop was removed from postcss-selector-parser all the way back in https://github.com/postcss/postcss-selector-parser/commit/92c0766f8cdb0aa3ffe39a67eaf200c875e23831#diff-b9cfc7f2cdf78a7f4b91a753d10865a2 but stylelint is still using 3.1.1 (latest is 6.x).

sbassett changed the task status from Open to Stalled.EditedFeb 13 2020, 4:03 PM
sbassett triaged this task as Medium priority.

Update: I heard back from upstream re: postcss-selector-parser/dot-prop. There are apparently some issues upgrading stylelint to a newer version of postcss-selector-parser due to the way it parses comments. Upstream said they'd be willing to keep us (me) informed of when they're able to get a fix/upgrade in place.

Jdforrester-WMF added a comment.Feb 13 2020, 4:18 PM

Thank you!

Volker_E added a comment.Feb 13 2020, 5:17 PM

@sbassett Are there security policy examples we should orient ourselves on?

sbassett added a comment.Feb 13 2020, 9:30 PM
In T245070#5881644, @Volker_E wrote:

@sbassett Are there security policy examples we should orient ourselves on?

For node/js dependency vulnerabilities or just in general? The Security-Team does have some developer best practices/documentation up on mediawiki.org, though some of that is a bit dated and very PHP/MediaWiki-centric. The most relevant item might be our Third Party Code Review Checklist, which we use as a basic set of guidelines for various internal reviews. At some point, I would very much like to clean up our older documentation and craft some new documentation targeted towards other languages such as node/js, golang and python.

For the node/js dependency vulnerabilities specifically, we tend to find many of those during our security readiness reviews but would certainly encourage all technical contributors to do any of the following:

  1. run various tools like npm audit, snyk test, nvd searches, etc. manually during development cycles
  2. build npm cli commands which can run the aforementioned security checks in an automated fashion
  3. configure CI for relevant repositories to have various security checks run during code review (non-voting is fine)
  4. configure github to automatically check for relevant security alerts
  5. feel empowered to create Phab tasks like this one to request updates for vulnerable and outdated dependencies

If this isn't really what you were asking or you have any further questions, please feel free to contact us directly.

Volker_E added a comment.Feb 13 2020, 10:40 PM

@sbasset Was referring to your last point about setting up a formal security reporting policy in the repo. AFAICT stylelint features a pretty simple[[ https://github.com/stylelint/stylelint/blob/master/SECURITY.md | SECURITY.md file ]].

sbassett added a comment.EditedFeb 13 2020, 10:45 PM

@Volker_E Ah, ok, sorry about that. I would say any policy/SECURITY.md could borrow heavily from the existing Reporting Security Bugs doc (or even just link to it). Otherwise, providing an email (even better with a public key) and reminding folks that they shouldn't just open a public issue or create a pull request should suffice.

sbassett added a comment.Feb 14 2020, 9:31 PM

Update: upstream has tagged a new release that updates postcss-selector-parser and thus mitigates the prototype pollution vulnerability. So whenever we can upgrade stylelint-config-wikimedia to use stylelint@13.2.0, that would fix the issue on our end.

Jdforrester-WMF added a comment.EditedFeb 14 2020, 9:34 PM

PR for stylelint-config: https://github.com/wikimedia/stylelint-config-wikimedia/pull/111

PR for grunt-stylelint: https://github.com/wikimedia/grunt-stylelint/pull/84

Note there's also https://github.com/wikimedia/grunt-stylelint/network/alert/package-lock.json/diff/open which is looking to be harder to fix.

Jdforrester-WMF added a subscriber: Esanders.Feb 14 2020, 9:52 PM
Jdforrester-WMF added a comment.Feb 14 2020, 10:54 PM

Released as https://github.com/wikimedia/grunt-stylelint/releases/tag/v0.14.0 and https://github.com/wikimedia/stylelint-config-wikimedia/releases/tag/v0.9.0 ; I've configured LibraryUpgrader to do org-wide upgrades where possible, which all should land over the weekend, hopefully.

sbassett closed this task as Resolved.Feb 18 2020, 2:50 PM
sbassett assigned this task to Jdforrester-WMF.
In T245070#5886343, @Jdforrester-WMF wrote:

Released as https://github.com/wikimedia/grunt-stylelint/releases/tag/v0.14.0 and https://github.com/wikimedia/stylelint-config-wikimedia/releases/tag/v0.9.0 ; I've configured LibraryUpgrader to do org-wide upgrades where possible, which all should land over the weekend, hopefully.

Excellent, thanks. I'm going to resolve and make public now.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Feb 18 2020, 2:50 PM
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.
sbassett mentioned this in T242134: Security Review For Talk pages project.Feb 18 2020, 9:22 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:16 PM
Jdforrester-WMF moved this task from INBOX to Maintenance on the Release-Engineering-Team-TODO (2020-01 to 2020-03 (Q3)) board.Feb 26 2020, 6:13 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL