Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in dependency growl 1.9.2 #2791

Closed
balsamiqFlorian opened this issue May 8, 2017 · 9 comments
Closed

Vulnerability in dependency growl 1.9.2 #2791

balsamiqFlorian opened this issue May 8, 2017 · 9 comments
Labels
status: needs upstream fix defect within Mocha's dependency tree

Comments

@balsamiqFlorian
Copy link

Hi,

I got a report that mocha includes growl 1.9.2 which is vulnerable to an arbitrary code injection.
https://snyk.io/vuln/npm%3Agrowl%3A20160721?utm_campaign=vuln_alert&utm_medium=email&utm_source=Vuln

This issue is closed in growl 1.9.3.

Thanks.
@faust64 faust64 mentioned this issue May 14, 2017
Closed
@ScottFreeCode
Copy link
Contributor

Is there a way we can tell Snyk that Growl 1.9.3 does not in fact exist, and that the commit they reference is only in a fork (so it is possible that in the future Growl 1.9.3 could be published before fixing this issue, thus rendering their instructions incorrect once 1.9.3 does exist)?

If anybody wants to look at whether Mocha is actually at risk from this, I believe these would be the lines to examine:

mocha/lib/mocha.js

Lines 241 to 257 in 8a3cab0

Mocha.prototype._growl = function (runner, reporter) {
var notify = require('growl');
runner.on('end', function () {
var stats = reporter.stats;
if (stats.failures) {
var msg = stats.failures + ' of ' + runner.total + ' tests failed';
notify(msg, { name: 'mocha', title: 'Failed', image: image('error') });
} else {
notify(stats.passes + ' tests passed in ' + stats.duration + 'ms', {
name: 'mocha',
title: 'Passed',
image: image('ok')
});
}
});
};

@ScottFreeCode ScottFreeCode added the status: needs upstream fix defect within Mocha's dependency tree label May 14, 2017
@andris310
Copy link

Got same warning in Node Security Platform https://nodesecurity.io/advisories/146

@Fzzr
Copy link

Fzzr commented Jul 6, 2017
edited
Loading

See issue tj/node-growl#60 and PRs tj/node-growl#61 and tj/node-growl#62

@KaiSchwarz-cnic
Copy link

Got same warning using retire.js

faust64 added a commit to faust64/mocha that referenced this issue Jul 14, 2017
@faust64
chore(package): bump growl to 1.10.0
fc4c96c 
Following-up on mochajs#2798 & mochajs#2791, update growl that is known to be vulnerable
@faust64 faust64 mentioned this issue Jul 14, 2017
Closed
brimtown added a commit to brimtown/mocha that referenced this issue Jul 17, 2017
@brimtown
Upgrade Growl to 1.10.2
4b9d654 
* Growl 1.9.2 is vulnerable to arbitrary code injection,
  and causes security warnings for Mocha users
* Upgrade Growl to 1.10.2, and address issue mochajs#2791
@brimtown brimtown mentioned this issue Jul 17, 2017
Closed
@davorivas
Copy link

I am getting the same error and my tests in circleCI are not passing because of this "vulnerability"

(+) 1 vulnerabilities found
┌───────────────┬───────────────────────────────────────────────────────┐
│ │ Command Injection │
├───────────────┼───────────────────────────────────────────────────────┤
│ Name │ growl │
├───────────────┼───────────────────────────────────────────────────────┤
│ CVSS │ 9.8 (Critical) │
├───────────────┼───────────────────────────────────────────────────────┤
│ Installed │ 1.9.2 │
├───────────────┼───────────────────────────────────────────────────────┤
│ Vulnerable │ All │
├───────────────┼───────────────────────────────────────────────────────┤
│ Patched │ None │
├───────────────┼───────────────────────────────────────────────────────┤
│ Path │ my-project > [email protected] > [email protected]
├───────────────┼───────────────────────────────────────────────────────┤
│ More Info │ https://nodesecurity.io/advisories/146
└───────────────┴───────────────────────────────────────────────────────┘

@janvennemann
Copy link

As a workaround, until a decision was made on #2930 and mocha being a dev dependency in almost all cases, you can resort to only check your production dependencies with retire -p. NSP seems to do this by default as i'm getting no vulnerability warnings when running against a project that uses mocha as a dev dependency. If you still want to check your dev dependencies, explicitly ignore growl for the time being by adding @growl to your .retireignore or the more detailed .retireignore.json

@ScottFreeCode ScottFreeCode mentioned this issue Aug 21, 2017
Closed
@ScottFreeCode ScottFreeCode mentioned this issue Aug 31, 2017
Closed
@danjm danjm mentioned this issue Oct 4, 2017
Merged
@nitrocode
Copy link

@janvennemann thanks

✗ cat .retireignore.json
[
  {
    "component": "growl",
    "version" : "1.9.2",
    "justification" : "Ignored according to mocha issue #2791: https://github.com/mochajs/mocha/issues/2791#issuecomment-319963186"
  }
]

@boneskull
Copy link
Contributor

fixed

@cgewecke cgewecke mentioned this issue May 9, 2018
Merged
@TheAlexLichter TheAlexLichter mentioned this issue Aug 5, 2018
Closed
kazuar added a commit to kazuar/mAWS that referenced this issue Aug 10, 2018
@kazuar
Ignored growl issues in mocha #2791: mochajs/mocha#2791 (comment)
b06097a
@matdotcom
Copy link

matdotcom commented Aug 13, 2019
edited
Loading

I have updated to 1.10.5 still have this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: needs upstream fix defect within Mocha's dependency tree
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@KaiSchwarz-cnic @davorivas @boneskull @Fzzr @janvennemann @andris310 @balsamiqFlorian @nitrocode @ScottFreeCode @matdotcom