Page MenuHomePhabricator

npm audit security report for parsoid: found 1 high severity vulnerability (Prototype Pollution in "merge" package)
Closed, ResolvedPublicSecurity

Description

Noticed due to test failures in an unrelated patch:
https://integration.wikimedia.org/ci/job/mwgate-node10-docker/237754/console

13:38:19 > npm audit && npm run eslint
13:38:19 
13:38:20                                                                                 
13:38:20                        === npm audit security report ===                        
13:38:20                                                                                 
13:38:20 # Run  npm update null --depth 3  to resolve 1 vulnerability
13:38:20 ┌───────────────┬──────────────────────────────────────────────────────────────┐
13:38:20 │ High          │ Prototype Pollution                                          │
13:38:20 ├───────────────┼──────────────────────────────────────────────────────────────┤
13:38:20 │ Package       │ merge                                                        │
13:38:20 ├───────────────┼──────────────────────────────────────────────────────────────┤
13:38:20 │ Dependency of │ d8860565a3673092ee75305075e405d78d04220cfe0094b57d73853a456… │
13:38:20 ├───────────────┼──────────────────────────────────────────────────────────────┤
13:38:20 │ Path          │ d8860565a3673092ee75305075e405d78d04220cfe0094b57d73853a456… │
13:38:20 │               │ > limitation >                                               │
13:38:20 │               │ 51f906c5dbf9a50a53f01fda6279467cc93417b8126ec67004b86182f4d… │
13:38:20 │               │ > merge                                                      │
13:38:20 ├───────────────┼──────────────────────────────────────────────────────────────┤
13:38:20 │ More info     │ https://npmjs.com/advisories/1666                            │
13:38:20 └───────────────┴──────────────────────────────────────────────────────────────┘
13:38:20 
13:38:20 
13:38:20 found 1 high severity vulnerability in 452 scanned packages
13:38:20   run `npm audit fix` to fix 1 of them.
13:38:20 npm ERR! code ELIFECYCLE
13:38:20 npm ERR! errno 1
13:38:20 npm ERR! parsoid@0.11.0 test: `npm audit && npm run eslint`
13:38:20 npm ERR! Exit status 1
13:38:20 npm ERR! 
13:38:20 npm ERR! Failed at the parsoid@0.11.0 test script.

See https://npmjs.com/advisories/1666

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
DannyS712 moved this task from Unsorted to Reports on the User-DannyS712 board.
DannyS712 added subscribers: Arlolra, ssastry.
sbassett added a project: SecTeam Discussion.
sbassett edited projects, added SecTeam-Processed; removed SecTeam Discussion.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".

For completeness, I'll mention that Parsoid/JS is no longer in production at WMF. For the released package, kad is not a default backend for service runner's rate limiter, it would have had to have been explicitly enabled by someone running it. Further, the keys on which the effected package (merge) was used in kad don't seem to be user controlled data.

https://github.com/wikimedia/kad/pull/4/files

Awesome! Thanks Arlo for digging. I think we can skip a new security release for Parsoid/JS. If necessary, we can email a security advisory with how to fix this (upgrade package.json and npm update). I cannot wait for the day when Parsoid/JS goes EOL.