Page MenuHomePhabricator
Create Task
Maniphest T298854

NPM "colors" and "faker" package vulnerability audit
Closed, InvalidPublic
Actions

Description

The NPM package colors has recently been intentionally vandalized by its creator, causing anyone its use on at least package versions colors@1.4.1 and colors@1.4.44-liberty-2 to trigger an infinite loop. It seems there's also two new versions

Looking through the usage on codesearch with this query, I do not see any instances where these versions would be pulled, but it's likely a good idea to move off any usage of this package wherever possible.

The faker package was also disrupted, but in a less extreme way on version 6.6.6. See this codesearch query for it.

See also: Synk's article (HN) or Bleeping Computer's article (HN).

Related Objects

Event Timeline

Perryprog created this task.Jan 10 2022, 12:00 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 10 2022, 12:00 AM
Zabe added projects: Security, Security-Team, JavaScript.Jan 10 2022, 12:02 AM
Zabe removed subscribers: JavaScript, Security, Security-Team.
Zabe added a subscriber: Zabe.
Joe added a subscriber: Joe.Jan 10 2022, 6:37 AM

Sadly that code search is not a complete guarantee. For things we build with the pipeline, we might not have a package.json for all dependencies, so we will have to do a manual check of the docker images.

Marostegui added a subscriber: Marostegui.Jan 10 2022, 7:29 AM
MoritzMuehlenhoff added a subscriber: MoritzMuehlenhoff.Jan 10 2022, 10:04 AM

The nodejs12-devel image contains node-colors as shipped in Debian Bullseye, but that version isn't affected (it predates the vandalised release)

Joe added a comment.Jan 10 2022, 10:37 AM
In T298854#7608374, @MoritzMuehlenhoff wrote:

The nodejs12-devel image contains node-colors as shipped in Debian Bullseye, but that version isn't affected (it predates the vandalised release)

Yes, the problem might arise with images that include that dependency indirectly, like changeprop.

Reedy added a project: LibUp.Jan 10 2022, 5:31 PM
Reedy moved this task from Incoming to Watching on the Security-Team board.
Reedy added a project: SecTeam-Processed.
santhosh added a subscriber: santhosh.Jan 11 2022, 11:01 AM

Wikimedia services depending on service-runner is affected by this issue. service-runner depends on limiation library and it depends on wikimedia-kad-fork library. wikimedia-kad-fork defines dependency to "colors": "^1.0.3". An npm install with that dependency declaration pulled colors 1.4.1 version and it is problematic. npm had removed the problematic versions, but found a case where newer version from npm cache was used.

Noticed this today while checking gerrit CI failures for cxserver service - https://integration.wikimedia.org/ci/job/service-pipeline-test/10864/console. This CI is based on docker-registry.wikimedia.org/nodejs12-devel image.

https://github.com/wikimedia/kad does not use a package lock file. it is also quite outdated fork(T200374)

KartikMistry added a subscriber: KartikMistry.Jan 11 2022, 11:27 AM
Perryprog updated the task description. (Show Details)Jan 11 2022, 12:14 PM
Perryprog added a comment.Jan 11 2022, 12:18 PM
In T298854#7607990, @Joe wrote:

Sadly that code search is not a complete guarantee. For things we build with the pipeline, we might not have a package.json for all dependencies, so we will have to do a manual check of the docker images.

Good to know; thank you.

In T298854#7612222, @santhosh wrote:

wikimedia-kad-fork defines dependency to "colors": "^1.0.3". An npm install with that dependency declaration pulled colors 1.4.1 version and it is problematic. npm had removed the problematic versions, but found a case where newer version from npm cache was used.

Ack: I swapped around ~1.0.3's meaning compared to ^1.0.3's. This means there is at least some problematic dependencies on colors according to the codesearch linked in the task description; sorry about that.

sbassett added a subscriber: sbassett.EditedJan 11 2022, 7:28 PM

As discussed on IRC, another concrete example of this affecting Wikimedia infrastructure - garbled jenkins console output: https://integration.wikimedia.org/ci/job/service-pipeline-test/10879/console, from https://gerrit.wikimedia.org/r/752693.

sbassett added a project: Vuln-VulnComponent.Jan 12 2022, 5:36 PM
In T298854#7612222, @santhosh wrote:

Wikimedia services depending on service-runner is affected by this issue. service-runner depends on limiation library and it depends on wikimedia-kad-fork library. wikimedia-kad-fork defines dependency to "colors": "^1.0.3". An npm install with that dependency declaration pulled colors 1.4.1 version and it is problematic. npm had removed the problematic versions, but found a case where newer version from npm cache was used.

So to fix this immediate issue with service-runner (probably our largest attack surface for this issue?), can we update the Wikimedia kad fork and pin to the last good version of colorsjs (1.4.0 is recommended by Sonatype), tag a new release and then update limitation and service-runner with new tags as well? It looks like most versions of service-runner used by Wikimedia-affected services specify caret versions in the 2.x.x range, so we'd probably want to tag both 2.9.1 and 3.1.1 releases of service-runner with this security fix. If folks are generally comfortable with this approach, I'm happy to get some pull requests/gerrits going. (I am not aware of a great way of security-patching services like what we do for MW-related issues, etc. and the severity of this vuln - basically obscuring vandalism in certain contexts - might not warrant a fully-embargoed approach like that anyways.)

santhosh added a comment.Jan 13 2022, 6:20 AM

can we update the Wikimedia kad fork and pin to the last good version of colorsjs (1.4.0 is recommended by Sonatype), tag a new release and then update limitation and service-runner with new tags as well?

Yes please.

In long term, T200374 and finding better maintained replacement for wikimedia-kad-fork may be needed.

sbassett mentioned this in T289322: Pre-launch security review of Wikifunctions.Jan 17 2022, 5:35 PM
Legoktm mentioned this in T200374: Update indirect dependency on github.com/gwicke/kad.git.Feb 2 2022, 4:33 AM
Jdforrester-WMF added a subscriber: Jdforrester-WMF.Feb 17 2022, 5:50 PM
sbassett added a comment.EditedMar 17 2022, 9:13 PM

Update: It appears github has pulled the malicious versions of colors? Tags appear to now stop at 1.4.0, which was the last "good" version of the package, from 2019. npm seems to indicate the same. I suppose colors will just be frozen at this version, possibly forever, unless a trustworthy maintainer steps forward? Anyhow, in looking at various package-lock.json files, I'm not seeing anything pinning colors at greater than 1.4.0 (not that that would even work now) and I'm not aware of any ongoing complaints of Wikimedia CI still being obfuscated, etc. So this issue is likely lower-priority or even invalid. Of course there's still the related issue of T200374, which is not great.

Aklapper added a comment.Apr 2 2022, 12:46 PM

Proposing to close ticket as invalid nowadays

sbassett closed this task as Invalid.Apr 4 2022, 2:19 PM
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
In T298854#7826041, @Aklapper wrote:

Proposing to close ticket as invalid nowadays

I'm fine with that, for now.

sbassett triaged this task as Low priority.Apr 4 2022, 2:20 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL