1942154 - fix npm package vulnerabilities for asrouter and aboutwelcome

Status: RESOLVED FIXED

(Firefox :: Messaging System, task, P1)

Description

[Sarah Chung [:sachung]]

Fix the vulnerabilities shown from running ./mach npm audit prefix=browser/components/asrouter and ./mach npm audit prefix=browser/components/aboutwelcome.

Comment 1

[Sarah Chung [:sachung]]

Attachment: Bug 1942154 - fix npm package vulnerabilities in asrouter and aboutwelcome

Comment 2

[Punam Dahiya [:pdahiya]]

Marked bug as secure to be on safer side as it's addressing audit vulnerabilities in npm packages used by aboutwelcome and asrouter. However rethinking making it a confidential non-security bug should have sufficed.

Comment 3

[Daniel Veditz [:dveditz]]

Your first instinct to make it a security bug was a good one. That would make sure the security team is tracking the issue in case we need backports to supported ESR versions or in case we need advisories. But "Fix the vulnerabilities shown from running ./mach npm audit" could mean a lot of things. Could you attach the audit report to the bug?

I can't tell from the bug, or even the patch:

1. Is code from these packages IN Firefox, or is it code used to build the markup/code that goes into Firefox?
2. Even if the code ends up in Firefox, is the vulnerable functionality something Firefox uses?
3. Even if it's in parts of the code we use, can we prove the conditions to trigger the vulnerabilities would never occur in Firefox because we don't use it on web or user content, or because we sanitize input in ways that would prevent it?

Switching back to a security bug for triage

Comment 4

[Sarah Chung [:sachung]]

Hi Daniel, here is the output from running ./mach npm audit (it's the same for both folders). I'll be discussing with my team to answer the questions you posed in your comment.

body-parser  <1.20.3
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled - https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
fix available via `npm audit fix`
node_modules/body-parser

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix`
node_modules/cookie
  engine.io  0.7.8 - 0.7.9 || 1.8.0 - 6.6.1
  Depends on vulnerable versions of cookie
  Depends on vulnerable versions of ws
  node_modules/engine.io
    socket.io  1.6.0 - 4.7.5
    Depends on vulnerable versions of engine.io
    node_modules/socket.io

cross-spawn  <6.0.6 || >=7.0.0 <7.0.5
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via `npm audit fix`
node_modules/cross-spawn
node_modules/webpack-cli/node_modules/cross-spawn

follow-redirects  <=1.15.5
Severity: moderate
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via `npm audit fix`
node_modules/follow-redirects

path-to-regexp  4.0.0 - 6.2.2
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix`
node_modules/path-to-regexp

ws  8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix`
node_modules/ws
  socket.io-adapter  2.5.2 - 2.5.4
  Depends on vulnerable versions of ws
  node_modules/socket.io-adapter

9 vulnerabilities (2 low, 1 moderate, 6 high)

To address all issues, run:
  npm audit fix

Comment 5

[Daniel Veditz [:dveditz]]

Would these affect us? Wouldn't we use our own networking code and not need or care about npm cookie?

The DOS issues don't need to be considered as a security bug.

Comment 6

[Punam Dahiya [:pdahiya]]

Doing ./mach npm ls cookie --prefix=browser/components/asrouter points to it being a sub-dependency used in karma testing framework and should be limited to unit tests

Comment 7

[Punam Dahiya [:pdahiya]]

Answering inline to help with security triage thanks!

(In reply to Daniel Veditz [:dveditz] from comment #3)

I can't tell from the bug, or even the patch:

1. Is code from these packages IN Firefox, or is it code used to build the markup/code that goes into Firefox?

Code from these packages is not in Firefox as these packages are used by dev dependencies at build time

2. Even if the code ends up in Firefox, is the vulnerable functionality something Firefox uses?

As above, build time dev dependencies with packages not bundled with Firefox

3. Even if it's in parts of the code we use, can we prove the conditions to trigger the vulnerabilities would never occur in Firefox because we don't use it on web or user content, or because we sanitize input in ways that would prevent it?

Not used on web or user content , almost all of these packages are sub-dependency of karma 6.4.4 and used in unit tests

Switching back to a security bug for triage

Comment 8

[Daniel Veditz [:dveditz]]

Thanks for the detail! We don't need to keep this hidden as a security bug then.

Comment 9

[Pulsebot]

Pushed by sachung@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3211495b2e14
fix npm package vulnerabilities in asrouter and aboutwelcome r=omc-reviewers,dmose

Comment 10

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/3211495b2e14