Skip to content

Fix security issue https://npmjs.com/advisories/781#4

Open
nullivex wants to merge 1 commit intodreamerslab:masterfrom
nullivex:master
Open

Fix security issue https://npmjs.com/advisories/781#4
nullivex wants to merge 1 commit intodreamerslab:masterfrom
nullivex:master

Conversation

@nullivex
Copy link

@nullivex nullivex commented Feb 7, 2019

Should fix this, which just popped up today.

│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node.extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.1.7 <2.0.0 || >= 2.0.1                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ rmdir-promise                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ rmdir-promise > rmdir > node.flow > node.extend              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/781

@imaman imaman mentioned this pull request Feb 7, 2019
Closed
@azizur azizur mentioned this pull request Feb 9, 2019
Closed
@nullivex
Copy link
Author

nullivex commented Feb 16, 2019

I spent time making sure this would be the least impactful fix to the problem. @ljharb any help here?

This was referenced Feb 16, 2019
Closed
Closed
@nullivex
Copy link
Author

nullivex commented Mar 2, 2019

This security issue remains despite the approval for changes. Any way this can be merged? @garyyeap @ljharb @jacksctsai @ben-lin ?

@ljharb
Copy link
Member

ljharb commented Mar 3, 2019

@nullivex you'll note that the gray check means i'm not a collaborator, so pinging me isn't going to help :-)

@nullivex
Copy link
Author

nullivex commented Mar 3, 2019

My apologies, Ill leave you out of it. Initially I saw you on the Organization and thought that you may be able to contact someone with publishing privileges. Its a shame to see this vulnerability persist over incorrect usage of the package.json file.

@smamczak
Copy link

smamczak commented Apr 29, 2021

Any update on this merge?

@ljharb
Copy link
Member

ljharb commented Apr 29, 2021

To be clear, while this is a good change (everything should always prefer using ^ ranges), it's also unnecessary, because like almost every prototype pollution CVE, this one is a false positive.

rmdirr is only used here:

node.flow/examples/node.packer/run.js

Line 56 in dcf58ba

rmdir( target_dir, function ( err, dirs, files ){
and target_dir is

node.flow/examples/node.packer/run.js

Line 17 in dcf58ba

var target_dir = __dirname + '/assets/';
, which is hardcoded. Thus, the vulnerability is utterly impossible - you can't even attack yourself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@ljharb ljharb ljharb approved these changes

@vijayrathore8492 vijayrathore8492 vijayrathore8492 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nullivex @ljharb @smamczak @vijayrathore8492