CVE-2022-29622 (High) detected in formidable-2.0.1.tgz - autoclosed

[mend-for-github-com]

CVE-2022-29622 - High Severity Vulnerability

Vulnerable Library - formidable-2.0.1.tgz

A node.js module for parsing form data, especially file uploads.

Library home page: https://registry.npmjs.org/formidable/-/formidable-2.0.1.tgz

Dependency Hierarchy:

• supertest-6.2.2.tgz (Root Library)
  • superagent-7.1.2.tgz
    • ❌ formidable-2.0.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. NOTE: some third parties dispute this issue because the product has common use cases in which uploading arbitrary files is the desired behavior. Also, there are configuration options in all versions that can change the default behavior of how files are handled.
Mend Note: After conducting further research, Mend has determined that this is a controversial case - Mend security team suggest to refer to it as a risky feature and not as critical vulnerability

Publish Date: 2022-05-16

URL: CVE-2022-29622

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-05-16

Fix Resolution: formidable - 3.2.4

[tmarkley]

$ yarn why formidable
yarn why v1.22.18
[1/4] Why do we have the module "formidable"...?
[2/4] Initialising dependency graph...
warning Resolution field "[email protected]" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "[email protected]"
info Reasons this module exists
   - "_project_#supertest#superagent" depends on it
   - Hoisted from "_project_#supertest#superagent#formidable"
info Disk size without dependencies: "148KB"
info Disk size with unique dependencies: "500KB"
info Disk size with transitive dependencies: "1.09MB"
info Number of shared dependencies: 12
Done in 0.91s.

[tmarkley]

$ npm ls formidable
[email protected] /home/ubuntu/ws/OpenSearch-Dashboards
└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected] 

[tmarkley]

This CVE is still undergoing analysis by NVD - it's unclear if Dashboards is impacted.

[CCongWang]

$ npm ls formidable
[email protected] /home/ubuntu/github/OpenSearch-Dashboards
└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected] 

[CCongWang]

Currently superagent still uses [email protected] (code), do we need to wait for superagent upgrade formidable? @kavilla

[ananzh]

The fix is to bump formidable to v3.2.4+

Currently [email protected] is using [email protected]. The latest superagent is still using formidable:^2.0.1.

Formidable bump to v3.2.4 includes breaking changes: https://github.com/node-formidable/formidable/blob/master/CHANGELOG.md

I think the solution is to resolve it to v3.2.4 but no backport. This CVE should be fixed in 3.0.0 due to breaking changes.

[zhongnansu]

Issue:

• formidable@v2 is reported to have CVE, and they patch the fix in formidable@v3, a major version. But v3 is a ESM module without common JS support. After adding resolution in package.json, our unit test will throw error.

Summary of all failing tests
 FAIL  src/core/server/http/http_server.test.ts
  ● Test suite failed to run

    Jest encountered an unexpected token

    Jest failed to parse a file. This happens e.g. when your code or its dependencies use non-standard JavaScript syntax, or when Jest is not configured to support such syntax.

    Out of the box Jest supports Babel, which will be used to transform your files into valid JS based on your Babel configuration.

    By default "node_modules" folder is ignored by transformers.

    Here's what you can do:
     • If you are trying to use ECMAScript Modules, see https://jestjs.io/docs/ecmascript-modules for how to enable it.
     • If you are trying to use TypeScript, see https://jestjs.io/docs/getting-started#using-typescript
     • To have some of your "node_modules" files transformed, you can specify a custom "transformIgnorePatterns" in your config.
     • If you need a custom transformation specify a "transform" option in your config.
     • If you simply want to mock your non-JS modules (e.g. binary assets) you can stub them out with the "moduleNameMapper" config option.

    You'll find more details and examples of these config options in the docs:
    https://jestjs.io/docs/configuration
    For information about custom transformations, see:
    https://jestjs.io/docs/code-transformation

    Details:

    /__w/OpenSearch-Dashboards/OpenSearch-Dashboards/node_modules/formidable/src/index.js:1
    ({"Object.<anonymous>":function(module,exports,require,__dirname,__filename,jest){import PersistentFile from './PersistentFile.js';
                                                                                      ^^^^^^

    SyntaxError: Cannot use import statement outside a module

      at Runtime.createScriptFromCode (node_modules/jest-runtime/build/index.js:1728:14)
      at Object.<anonymous> (node_modules/superagent/src/node/index.js:17:20)
      at Object.<anonymous> (node_modules/supertest/lib/test.js:11:21)

• To fix unit tests, we modified jest.config.js to use dynamic import. Unit tests can pass now. But then our functional test(cypress) is throwing another error.

Must use import to load ES Module: /__w/OpenSearch-Dashboards/OpenSearch-Dashboards/node_modules/formidable/src/index.js
require() of ES modules is not supported.

• This may because cypress doesn't support cjs, as CJS plugins file (and ideally also allowing an ESM one) cypress-io/cypress#16467. I am not sure about this part tho.

At the meantime I found some other discussion on formidable, and the parent libraries superagent and supertest github repos. Briefly speaking, superagent won't upgrade formidable to v3 to resolve the CVE. Because v3 doesn't support ESM, they insists asking formidable to backport the fix to v2, as well as asking their vulnerability consultant snyk to revoke the CVE(Snyk did).

References

• A blog about engineer trying to resolve the same CVE but met the same issues as us, ended up dropping the parent library
• discussion in formidable Vulnerability CVE-2022-29622 is reported by Whitesource node-formidable/formidable#856
• Snyk publishes a notice to revoke "CVE-2022-29622": https://security.snyk.io/vuln/SNYK-JS-FORMIDABLE-2838956
• blogs to explain why CVE-2022–29622 is not valid: https://medium.com/@zsolt.imre/cve-2022-29622-in-vulnerability-analysis-5cf783c3721

Summary

• I think we need to reach out to Mend to see if they have plan to revoke the CVE.
• See if other tricks work to support ESM

cc @ananzh @tmarkley @joshuarrrr @kavilla any thoughts?

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.