fix: critical vulnerability reported by whitesource

[RezaRahmati]

Description

Whitesource scanning tool is reporting a high vulnerability issue on class-validator

here is the description from whitesource:

In TypeStack class-validator 0.10.2, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input. NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product.

[shaunek]

This issue was raised last month in #1342. The Github issue was initially marked critical and then downgraded to moderate severity. I don't use Whitesource so I can't comment much on it, but I'm not sure why this same vuln would be classified as high severity there while Github downgraded the severity level.

In practical terms what our team did to ensure that usage of class-validator was safe was to follow the instructions - we used the forbidUnkownValues parameter, which is an undocumented option of the ValidatorOptions. See #438 for more discussion that started a long time ago.

And FYI - this library seems to be in a limbo state in regards to maintenance, I'm seeing no real activity for the past little while. The Nestjs team is so worried about it that they have apparently forked it and are actively maintaining as of the past few weeks (apparently Nestjs relies on this lib and the related class-transformers heavily). I'm not necessarily suggesting anybody jump over to the Nestjs fork but it might be worth looking into. https://www.npmjs.com/package/@nestjs/class-validator

[IanMoroney]

For anyone interested in resolving this issue, change to the recently forked (and patched) @nestjs/class-validator package.

"@nestjs/class-validator": "^0.13.3"

Update your import references too, and you should be good to go 👍

[shaunek]

If you are considering using the @nestjs/class-validator fork and you are a Nestjs user: be aware that if you are using class-validator simply because it is a nestjs peerDependency (and you need to use ValidationPipe or something), simply replacing class-validator with @nestjs/class-validator won't work by itself. See nestjs/nest#8562

[array-addu]

@IanMoroney @shaunek I am still getting this vulnerability even after updating @nestjs/class-validator to 0.13.3 like this "class-validator": "npm:@nestjs/[email protected]"
Can you suggest why it's not working for me?

[braaar]

@IanMoroney @shaunek I am still getting this vulnerability even after updating @nestjs/class-validator to 0.13.3 like this "class-validator": "npm:@nestjs/[email protected]" Can you suggest why it's not working for me?

I think you should rather ask about this in https://github.com/nestjs/class-validator

[IanMoroney]

this could also help @array-addu :
nestjs/nest#8562 (comment)

[NoNameProvided]

Please see #1422 (comment) for details and tracking of the issue.

In short, the provided POC doesn't result in a bypass since at least 2021 October 22. (So for almost a year) but I had trouble marking the vulnerability as patched with the vendors.

For anyone interested in resolving this issue, change to the recently forked (and patched) @nestjs/class-validator package.

As far as I can tell the package hosted on NestJS is not patched. You don't get the vulnerability alert because it's published under a new name but the code is the same.

I am closing this issue as a duplicate of the above-linked one.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.