Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docusaurus depends on [email protected] with CVE-2020-7753 vulnerability #7275

Closed
6 of 7 tasks
octogonz opened this issue Apr 30, 2022 · 10 comments
Closed
6 of 7 tasks
Labels
closed: please-fix-this-cve This issue is asking for fixing a CVE in a build-only dep which doesn't pose any real threat.

Comments

@octogonz
Copy link

Have you read the Contributing Guidelines on issues?

Prerequisites

  • I'm using the latest version of Docusaurus.
  • I have tried the npm run clear or yarn clear command.
  • I have tried rm -rf node_modules yarn.lock package-lock.json and re-installing packages.
  • I have tried creating a repro with https://new.docusaurus.io.
  • I have read the console error message carefully (if applicable).

Description

@docusaurus/[email protected] depends on @mdx-js/[email protected] which depends on [email protected] which is breaking our CI builds with this security scanner failure:

[INFO] _________________________________________________________________________________________________________________________________________________ 
[INFO] |Security Alerts                                                                                                                                | 
[INFO] |_______________________________________________________________________________________________________________________________________________| 
[INFO] |Alert title                             |Affected component                      |Severity                      |Due date                      | 
[INFO] |________________________________________|________________________________________|______________________________|______________________________| 
[INFO] |CVE-2020-7753                           |trim 0.0.1                              |High                          |                              | 
[INFO] |________________________________________|________________________________________|______________________________|______________________________| 
[INFO]  
##[warning]Component Governance detected 1 security related alerts at or above 'High' severity. Microsoft’s Open Source policy requires that all high and critical security vulnerabilities found by this task be addressed by upgrading vulnerable components. Vulnerabilities in indirect dependencies should be addressed by upgrading the root dependency.
[INFO] To change the severity threshold or build result, either dismiss the alerts in Component Governance or update the settings of this build task. 
[INFO] Please contact [email protected] with questions. 
[INFO] Took 1.3847636 seconds to query alerts. 

Reproducible demo

N/A

Steps to reproduce

Here's an easy way to repro the issue:

  1. npm init
  2. npm install @docusaurus/mdx-loader
  3. npm audit

                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  High            Regular Expression Denial of Service in trim

  Package         trim

  Patched in      >=0.0.3

  Dependency of   @docusaurus/mdx-loader

  Path            @docusaurus/mdx-loader > @mdx-js/mdx > remark-parse > trim

  More info       https://github.com/advisories/GHSA-w5p7-h5w8-2hfq

Expected behavior

Docusaurus should not depend on packages with high severity security vulnerabilities.

Actual behavior

Security vulnerability

Your environment

  • Docusaurus version used: 2.0.0-beta.18
  • Environment name and version (e.g. Chrome 89, Node.js 16.4): Node v14.17.0
  • Operating system and version (e.g. Ubuntu 20.04.2 LTS): Windows 10

Self-service

  • I'd be willing to fix this bug myself.
@octogonz octogonz added bug An error in the Docusaurus core causing instability or issues with its execution status: needs triage This issue has not been triaged by maintainers labels Apr 30, 2022
@Josh-Cena
Copy link
Collaborator

Please see #6394

@Josh-Cena Josh-Cena added closed: duplicate This issue or pull request already exists in another issue or pull request and removed bug An error in the Docusaurus core causing instability or issues with its execution status: needs triage This issue has not been triaged by maintainers labels Apr 30, 2022
@Josh-Cena
Copy link
Collaborator

If your CI requires zero audit warning, your CI is broken. DO NOT rely on security audit for front end build pipelines.

@octogonz
Copy link
Author

DO NOT rely on security audit for front end build pipelines.

@slorber Could we get a second opinion on this advice?

  • I understand that the way an NPM package is used may make it impossible for a security vulnerability to be exploited
  • I also understand that in many cases, this impossibility is immediately "obvious" to a knowledgeable person

However in a large code base, the way an NPM package is used is difficult to keep track of. Code evolves constantly. The analysis itself can be tricky. For example Docusaurus's hybrid client/server rendering makes it non-obvious whether a given NPM package will be executed by the browser runtime or Node.js tooling.

  • For these reasons, corporate security departments prefer to simply upgrade every vulnerable package rather than carefully reviewing each case. I think I agree with this mentality.
  • A categorical recommendation "DO NOT rely on security audit" seems... not wise

@Josh-Cena
Copy link
Collaborator

Josh-Cena commented Apr 30, 2022

Apparently, the same issue has been responded to by multiple maintainers:

My response represents the response you will get from every single maintainer, and generally most maintainers in the front-end ecosystem. Docusaurus builds a static site; there's no way a user could be exploited by any security vulnerability whatsoever, unless they actively XSS themselves.

@Josh-Cena
Copy link
Collaborator

Josh-Cena commented Apr 30, 2022

The data flow of Docusaurus is always one-way: developer -> build pipeline -> deployment env -> user. The user never sends data back to the server. When we say "Docusaurus has a server-side", this server-side is not the same as Next.js: it's build-time only, and once deployed, it's only a bunch of static assets.

The only viable attack vector that we are aware of is if you are outsourcing translations and injecting them via dangerouslySetInnerHtml, which may cause an XSS attack from a malicious translation contributor if there's no proofreading process—due to this consideration, all of our HTML text labels are untranslatable.

The lesson is that security audits are broken—it's not my word, it's the consensus from every OSS maintainer. Whenever you open a security issue somewhere, don't just say "there's a known CVE"—prove to us how this CVE can be actually exploited as an attack vector. Even better, please report this through the security portal for responsible disclosure.

@octogonz
Copy link
Author

The user never sends data back to the server.

Take a look at our Docusaurus site:

https://rushstack.io/community/events/

Users do login-with-GitHub and then interact with a Node.js service via web pages that are rendered by the Docusaurus engine. You're really making a lot of assumptions about how a particular Docusaurus site might work.

@Josh-Cena
Copy link
Collaborator

Josh-Cena commented Apr 30, 2022

That's your own code. Unless it's wired through some official Docusaurus API, we can't help with that. Since you are reporting it to upstream, and you have traced it down to exactly remark-parse, I'll assume you know whether any security threat comes in that chain😅

But anyways, I have spent enough time demonstrating to you why (a) it doesn't matter and (b) how to responsibly report security bugs in the front-end ecosystem. It's now your responsibility to abide to that.

@octogonz
Copy link
Author

octogonz commented Apr 30, 2022

we can't help with that

Upgrading your @mdx-js/mdx dependency would fix this issue.

Since you are reporting it to upstream, and you have traced it down to exactly remark-parse, I'll assume you know whether any security threat comes in that chain

Yes, but I'm not the person who is a concern. It is the not-knowledgeable engineer who later adds another project to the same monorepo.

For example, let's say this new project is an Express service that happens to invoke trim() on a potentially malicious input, resulting in a real denial-of-service. Our security scanner should flag that, but oops! -- CVE-2020-7753 is exempted because at the time it seemed irrelevant for the Docusaurus project. (If I understand correctly, you're actually arguing to go further and disable every security check for the entire repo; I can't imagine any corporate compliance group tolerating that approach!)

See, security vulnerabilities by nature are tricky to analyze. This is why it's simpler just to work to get them eliminated from the dependency tree, rather than getting into armchair debates about each vulnerability that comes along.

it's not my word, it's the consensus from every OSS maintainer

As a maintainer of OSS myself, I would certainly give a lower priority to fixing an irrelevant-seeming vulnerability. But I would not dismiss it or argue that we shouldn't bother fixing the vulnerability at all, particularly for a high profile project like Docusaurus.

@Josh-Cena
Copy link
Collaborator

Josh-Cena commented Apr 30, 2022

Upgrading your @mdx-js/mdx dependency would fix this issue.

That's the whole point of every issue I've been pointing to—right? We bump dependencies every week, there's no reason why we won't upgrade it if we can. However, upgrading to MDX v2 has been postponed to Docusaurus v3 because it would be a huge breaking change that will influence every single user, and it also uses ESM which we are not compatible with yet. We have #4029 and #6520 to track them.

If this audit warning really bothers you, consider persuading the remark maintainers to release a patch version for the particular version of remark-parse used by MDX v1. (Alert: I'm pretty sure they won't like the idea)

If I understand correctly, you're actually arguing to go further and disable every security check for the entire repo

I'm saying you should ignore it for Docusaurus because it's a front-end build tool, repeat "build tool". It doesn't offer any runtime features. Your comparison to Express is inadequate and there's a world of difference in between, which is why I said the "single direction of data flow" matters. Express is neither front-end nor "build pipeline". I don't see why my carefully-crafted statement that "DO NOT rely on security audit for front end build pipelines" can be stretched so much.

security vulnerabilities by nature are tricky to analyze

Totally agree. That's why I'm spending so much time demonstrating to you it doesn't matter, instead of instantly dismissing it as "it doesn't matter; now go".

particularly for a high profile project like Docusaurus.

Well, there are much higher-profile projects that take literally the same stance: facebook/create-react-app#11174

Again, we don't work on your team, we can't control your security policy. All we can ask you is, when you open a bug report, please please provide a reproduction. Maintainers have limited time (I have relatively much more time than @slorber but I'm volunteering), so it's important for you to demonstrate yourself how a particular bug is Docusaurus' issue, and for CVEs, how it causes tangible harm. It takes you and your team probably less than 5 minutes to run npm audit and write that report, but had we not been aware of this issue before, it would take us much more time than that to actually verify it's a security threat. The burden is on you, if you want to see it fixed, to demonstrate end-to-end why it's a problem and how we can go about fixing it. Security bugs are no exception to the reproduction → cause track-down → solution proposal workflow.

@Josh-Cena Josh-Cena added closed: please-fix-this-cve This issue is asking for fixing a CVE in a build-only dep which doesn't pose any real threat. and removed closed: duplicate This issue or pull request already exists in another issue or pull request labels Apr 30, 2022
@slorber
Copy link
Collaborator

slorber commented Apr 30, 2022

See, security vulnerabilities by nature are tricky to analyze.

Not all of them IMHO.

We are a build tool that runs in your CI to produce a static site output, based on inputs you commit yourself to Git.

To be affected by such Denial-of-Service you'd have to want to hack yourself and commit malicious content on Git.

And it would only DOS your CI (potentially blocking or slowing down the deployment), not really affecting real site visitors.


I don't think it's good to disable/ignore all security warnings, but I guess in our context you can just ignore all those Regular Expression Denial of Service errors by default.

I believe those shouldn't have Severity: Hight in the first place 🤷‍♂️ and in our particular context it's probably not even Medium.

See also https://overreacted.io/npm-audit-broken-by-design/


However in a large code base, the way an NPM package is used is difficult to keep track of. Code evolves constantly. The analysis itself can be tricky. For example Docusaurus's hybrid client/server rendering makes it non-obvious whether a given NPM package will be executed by the browser runtime or Node.js tooling.

We keep the browser runtime very small in core and theme-classic so there's only a limited number of dependencies being used there.

If there's a DOS vulnerability in a browser package that could affect real users, we'll look into it as a priority.

Now if you don't know if it's server or browser code, you can ask (like in this issue) and we'll tell you.


We don't have the bandwidth to fix all those harmless vulnerabilities ourselves, but I understand if your company remains afraid of such vulnerabilities.

It remains possible for you:

  • to fork the project and fix those vulnerabilities (some version bumps are not so easy)
  • force resolution of trim to a newer version, hoping it will keep working (eventually use patch-package to adapt some code that doesn't work)
  • help us fund the project so that we have more bandwidth to fix such vulnerabilities.

@Josh-Cena Josh-Cena closed this as not planned Won't fix, can't repro, duplicate, stale May 28, 2022
facebook-github-bot pushed a commit to facebookincubator/CG-SQL that referenced this issue Jun 17, 2022
Summary:
Three tasks (T121720170, T121720171, T121790680) related to unresolved vulnerabilities in the CQL GitHub project are filed after the addition of the yarn.lock file in D36390866 (3eb1a11). ~~Removing the yarn.lock file should close those tasks automatically.~~ Addressing this by forcefully updating the affected dependencies to a recent version even though our upstream dependencies are requiring older versions.

GitHub uses yarn.lock (or package-lock.json) files to detect the use of npm libraries that have CVEs associated with them, and an [internal checkup tool](https://www.internalfb.com/intern/opensource/github/repo/2666233626998565/checkup/) detects its status. The two particular CVEs raised (on trim, nth-check) are from upstream libraries imported by Docusaurus. The Docusaurus team don't intend to fix the underlying issue ([Github Discussion](facebook/docusaurus#7275), they also reference [Dan Abramov's post arguing this whole vulnerabilty scan thing is broken](https://overreacted.io/npm-audit-broken-by-design/))

~~Usually yarn.lock files should be checked in to ensure everyone (including prod) fetches the same dependencies, but given that this project is just a doc site and we have probably been working fine without it for ~3+ years, I think taking away yarn.lock is the best way to work around this issue.~~

Reviewed By: yangshun

Differential Revision: D37075991

fbshipit-source-id: b39875f8bf1251df64abbb7bdc8cbb9139e682a6
xoxys added a commit to woodpecker-ci/woodpecker that referenced this issue Aug 1, 2023
Related-to: #2078

Remaining CVEs:

```
❯ trivy fs --exit-code 1 --skip-dirs node_modules/,plugins/woodpecker-plugins/node_modules/ docs/
2023-08-01T10:02:36.911+0200	INFO	Vulnerability scanning is enabled
2023-08-01T10:02:36.911+0200	INFO	Secret scanning is enabled
2023-08-01T10:02:36.911+0200	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-08-01T10:02:36.911+0200	INFO	Please see also https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation for faster secret detection
2023-08-01T10:02:36.963+0200	INFO	Number of language-specific files: 1
2023-08-01T10:02:36.963+0200	INFO	Detecting pnpm vulnerabilities...

pnpm-lock.yaml (pnpm)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Installed Version │ Fixed Version  │                            Title                             │
├─────────┼────────────────┼──────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ got     │ CVE-2022-33987 │ MEDIUM   │ 9.6.0             │ 11.8.5, 12.1.0 │ missing verification of requested URLs allows redirects to   │
│         │                │          │                   │                │ UNIX sockets                                                 │
│         │                │          │                   │                │ https://avd.aquasec.com/nvd/cve-2022-33987                   │
├─────────┼────────────────┼──────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ trim    │ CVE-2020-7753  │ HIGH     │ 0.0.1             │ 0.0.3          │ nodejs-trim: Regular Expression Denial of Service (ReDoS) in │
│         │                │          │                   │                │ trim function                                                │
│         │                │          │                   │                │ https://avd.aquasec.com/nvd/cve-2020-7753                    │
└─────────┴────────────────┴──────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘
```

- `trim` is pulled in by `@docusaurus/theme-classic` and can be ignored
due to
facebook/docusaurus#7275 (comment)
- `got` can be ignored as well, see `trim`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
closed: please-fix-this-cve This issue is asking for fixing a CVE in a build-only dep which doesn't pose any real threat.
Projects
None yet
Development

No branches or pull requests

3 participants