[Security Issues Collection] Security Findings Fixing

Question

[Security Issues Collection] Security Findings Fixing

terryatgithub opened this issue a year ago · comments

hi @adamstep , the App we are building based on Hyperview is going to go live in recent months and our security team reported some high-severity issues that must be fixed before formal release.

it's noticed that the dependencies are all hardcoded to a fixed version, so it needs your help to assess if it's feasible to upgrade them.

  "dependencies": {
    "tiny-emitter": "2.1.0",
-    "url-parse": "1.4.3", // vulnerable issues as described in [CVE-2022-0686](https://nvd.nist.gov/vuln/detail/CVE-2022-0686)
+    "url-parse": "1.5.9", // need upgrade to 1.5.9 or later
-    "xmldom-instawork": "0.0.1" // vulnerable issues as described in #520  #527,  [CVE-2022-39353](https://nvd.nist.gov/vuln/detail/CVE-2022-39353)
+    "xmldom-instawork": "0.0.1" // need to upgrade to such as @xmldom/xmldom@~0.8.4
  },

Any response or potential plan would be appreciated, as this would allow us to discuss with our security team and make arrangements accordingly.
Thank you in advance and wish you all the best.

Adam Stepinski · Answer 1 · Tue May 16 2023 00:24:42 GMT+0800 (China Standard Time)

Hi @terryatgithub , I think it is safe to update url-parse. I checked that the API is unchanged, and we can QA the updated dependency. Do you want to submit a PR with this change?

Regarding xmldom library: my team will have to take a look at this. A while ago, we needed to fork the xmldom library to fix a parsing bug that caused the library to crash on certain valid inputs. It could be that the change was applied upstream already. But if not, we may need to pull down the latest version of xmldom into our fork. We will keep you posted.

Adam Stepinski · Answer 2 · Tue May 16 2023 01:59:51 GMT+0800 (China Standard Time)

We have actually started exploring updating xmldom in this PR: #527

Bo Yuan · Answer 3 · Tue May 16 2023 13:50:57 GMT+0800 (China Standard Time)

hi @adamstep
a pull request #542 has been raised to update url-parse to its latest version 1.5.10, please help review.
Looking forward to the progress of xmldom and greatly appreciate all your effort.

Bo Yuan · Answer 4 · Thu May 18 2023 17:43:15 GMT+0800 (China Standard Time)

I would close this ticket, as the url-parse issue has been fixed by #542 , and xmldom is being followed up in this PR #527.

Adam Stepinski · Answer 5 · Sat Jun 03 2023 01:04:44 GMT+0800 (China Standard Time)

Linking to issue #520

Adam Stepinski · Answer 6 · Fri Jul 14 2023 01:58:10 GMT+0800 (China Standard Time)

@terryatgithub 0.66.1-rc.0 is available on npm with a patched version of xmldom. Note that I'm publishing this as a release candidate: we plan to QA this version extensively with the Instawork apps to make sure there are no regressions with the changes to the parsing library. I recommend you also test your apps with this release candidate before we make a full release.