Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in transitive dependency underscore.string #5152

Closed
nulltoken opened this issue Feb 2, 2019 · 3 comments
Closed

Vulnerability in transitive dependency underscore.string #5152

nulltoken opened this issue Feb 2, 2019 · 3 comments
Labels
cat: security P3 type: housekeeping

Comments

@nulltoken
Copy link

Using latest version

{
  "name": "test",
  "version": "1.0.0",
  "main": "index.js",
  "license": "MIT",
  "dependencies": {
    "swagger-ui": "^3.20.6"
  }
}

Audit reports

$ yarn audit
yarn audit v1.12.3
+------------------------------------------------------------------------------+
¦ moderate      ¦ Regular Expression Denial of Service                         ¦
+---------------+--------------------------------------------------------------¦
¦ Package       ¦ underscore.string                                            ¦
+---------------+--------------------------------------------------------------¦
¦ Patched in    ¦ >=3.3.5                                                      ¦
+---------------+--------------------------------------------------------------¦
¦ Dependency of ¦ swagger-ui                                                   ¦
+---------------+--------------------------------------------------------------¦
¦ Path          ¦ swagger-ui > remarkable > argparse > underscore.string       ¦
+---------------+--------------------------------------------------------------¦
¦ More info     ¦ https://nodesecurity.io/advisories/745                       ¦
+------------------------------------------------------------------------------+
1 vulnerabilities found - Packages audited: 319
Severity: 1 Moderate
@shockey shockey mentioned this issue Feb 7, 2019
Closed
@shockey
Copy link
Contributor

shockey commented Feb 7, 2019
edited
Loading

@nulltoken, as always thanks for filing an issue!

I'm deprioritizing this based on upstream analysis (that I agree with) that this is not a realistic security concern:

Unless you are planning on attacking yourself by entering a 100k string in the terminal while running the CLI, this is not even remotely a vulnerability or security concern for remarkable.

This means that if you pass a long string (50k characters?), that might look like a date, to the remarkable cli, your experience might be degraded by about 2 seconds.

jonschlinkert/remarkable#312 (comment)

Further, for us: argparse is used in Remarkable's CLI, which is not used in Swagger UI at all. There's simply no way that this "vulnerability" could cause problems for us here.

@awalkowiak awalkowiak mentioned this issue Jun 24, 2019
Open
@bashofmann bashofmann mentioned this issue Jul 30, 2019
Merged
@Racer159
Copy link

Racer159 commented Aug 1, 2019
edited
Loading

Just FYI, but upstream remarkable closed their issue related to this as of 10 days ago. Not too big of a deal (given the low risk of this vuln), but just wanted to make sure y'all were aware so that hopefully NPM audit can finally be happy again.

jonschlinkert/remarkable#310

@shockey
Copy link
Contributor

shockey commented Aug 2, 2019

Indeed @Racer159, this is resolved, we grabbed the new Remarkable version in #5509.

Closing!

@shockey shockey closed this as completed Aug 2, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cat: security P3 type: housekeeping
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nulltoken @shockey @Racer159