Need to patch vulnerable dependency packages

Andrew_Prior · April 14, 2022, 7:55pm

 npm audit --production
# npm audit report

async  <3.2.2
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix --force`
Will install express-jwt@1.2.0, which is a breaking change
node_modules/async
node_modules/forest-express/node_modules/async
node_modules/forest-express/node_modules/express-jwt/node_modules/async
  express-jwt  >=1.3.0
  Depends on vulnerable versions of async
  node_modules/express-jwt
  node_modules/forest-express/node_modules/express-jwt
    forest-express  *
    Depends on vulnerable versions of express-jwt
    Depends on vulnerable versions of moment
    node_modules/forest-express
      forest-express-sequelize  0.2.1 - 0.2.5 || >=0.5.0
      Depends on vulnerable versions of forest-express
      Depends on vulnerable versions of moment
      node_modules/forest-express-sequelize
  winston  0.4.0 - 3.2.1
  Depends on vulnerable versions of async
  node_modules/forest-express/node_modules/winston

moment  <2.29.2
Severity: high
Path Traversal: 'dir/../../filename' in moment.locale - https://github.com/advisories/GHSA-8hfj-j24r-96c4
fix available via `npm audit fix --force`
Will install forest-express@0.1.33, which is a breaking change
node_modules/forest-express-sequelize/node_modules/moment
node_modules/moment
  forest-express  *
  Depends on vulnerable versions of express-jwt
  Depends on vulnerable versions of moment
  node_modules/forest-express
    forest-express-sequelize  0.2.1 - 0.2.5 || >=0.5.0
    Depends on vulnerable versions of forest-express
    Depends on vulnerable versions of moment
    node_modules/forest-express-sequelize

Feature(s) impacted

These vulnerabilities have triggered SOC controls that are preventing us from being able to deploy our forest admin application.

Observed behavior

Unpatch vulnerable dependencies

Expected behavior

Patched vulnerable dependencies

Failure Logs

See above

Context

Project name: …Finicity - all forest admin
Team name: … connect services
Environment name: … All environments
Agent type & version:

$ npm ls forest-express
@finicity/woodpecker@1.27.5 /Users/aprior/dev/woodpecker
├─┬ forest-express-sequelize@8.5.3
│ └── forest-express@9.4.1 deduped
└── forest-express@9.4.1

Recent changes made on your end if any: …
none

anon16419211 · April 15, 2022, 8:28am

Hello @Andrew_Prior,

Thank you for reporting us this issue, I’ve just created two tickets (one for each vulnerability) with high priority that should be soon tackled. If you want you can follow their progression here:

We will keep you posted once solved

Kind regards,
Louis

arnaud · April 19, 2022, 1:12pm

Hi @Andrew_Prior, all dependencies with vulnerabilities have been patched.

A new forest-express-sequelize version 8.5.4 has been released. By upgrading to this version it should be good to go.

Thanks for your patience.

Andrew_Prior · April 19, 2022, 2:31pm

It looks like there is still a vulnerable dependency included in this path:

├─┬ forest-express@9.4.3
│ └─┬ winston@3.2.1
│   └── async@2.6.3

arnaud · April 20, 2022, 12:57pm

Hi @Andrew_Prior ,

There is no vulnerability in the forest-express package itself (v9.4.3 and v9.4.4), see the capture below:

Screen Shot 2022-04-20 at 14.35.31

I am convinced that the remaining vulnerability detected on your project is related to the way your async dependency resolution is locked in your package-lock.json.

winston@3.2.1 dependencies resolutions are defined like this:

"winston": {
      "version": "3.2.1",
      "resolved": "https://registry.npmjs.org/winston/-/winston-3.2.1.tgz",
      "integrity": "sha512-zU6vgnS9dAWCEKg/QYigd6cgMVVNwyTzKs81XZtTFuRwJOcDdBg7AU0mXVyNbs7O5RH2zdv+BdNZUlx7mXPuOw==",
      "requires": {
        "async": "^2.6.1",
        "diagnostics": "^1.1.1",
        "is-stream": "^1.1.0",
        "logform": "^2.1.1",
        "one-time": "0.0.4",
        "readable-stream": "^3.1.1",
        "stack-trace": "0.0.x",
        "triple-beam": "^1.3.0",
        "winston-transport": "^4.3.0"
      },

The latest resolution for async@^2.6.1 is async@2.6.4 (not async@2.6.3).
And async@2.6.4 is the latest “vulnerabilities free” patch.

To remove this last vulnerability in your project, you can remove winston dependency resolution in the package-lock.json and execute npm install. I am pretty sure it will install the latest version of async and lock it in your package-lock.json.

npm audit should, in the end, be empty.

Let me know.

Andrew_Prior · April 20, 2022, 9:58pm

So we are seeing an issue since updating forest-express@9.4.4

{"instance":"44fd945b-32e7-4017-988f-57e5f6b9ce48","level":"debug","message":"Error: Cannot find module 'mimic-response'\nRequire stack:\n- /Users/aprior/dev/woodpecker/node_modules/got/node_modules/decompress-response/index.js\n- /Users/aprior/dev/woodpecker/node_modules/got/dist/source/core/index.js\n- /Users/aprior/dev/woodpecker/node_modules/got/dist/source/as-promise/types.js\n- /Users/aprior/dev/woodpecker/node_modules/got/dist/source/as-promise/index.js\n- /Users/aprior/dev/woodpecker/node_modules/got/dist/source/create.js\n- /Users/aprior/dev/woodpecker/node_modules/got/dist/source/index.js\n- /Users/aprior/dev/woodpecker/node_modules/openid-client/lib/client.js\n- /Users/aprior/dev/woodpecker/node_modules/openid-client/lib/issuer.js\n- /Users/aprior/dev/woodpecker/node_modules/openid-client/lib/index.js\n- /Users/aprior/dev/woodpecker/node_modules/forest-express-sequelize/node_modules/forest-express/dist/context/build-external.js\n- /Users/aprior/dev/woodpecker/node_modules/forest-express-sequelize/node_modules/forest-express/dist/context/service-builder.js\n- /Users/aprior/dev/woodpecker/node_modules/forest-express-sequelize/node_modules/forest-express/dist/index.js\n- /Users/aprior/dev/woodpecker/node_modules/forest-express-sequelize/dist/index.js\n- /Users/aprior/dev/woodpecker/app.js\n- /Users/aprior/dev/woodpecker/index.js\n    at Function.Module._resolveFilename (node:internal/modules/cjs/loader:933:15)\n    at Function.Module._load (node:internal/modules/cjs/loader:778:27)\n    at Module.require (node:internal/modules/cjs/loader:1005:19)\n    at require (node:internal/modules/cjs/helpers:102:18)\n    at Object.<anonymous> (/Users/aprior/dev/woodpecker/node_modules/got/node_modules/decompress-response/index.js:4:23)\n    at Module._compile (node:internal/modules/cjs/loader:1103:14)\n    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1157:10)\n    at Module.load (node:internal/modules/cjs/loader:981:32)\n    at Function.Module._load (node:internal/modules/cjs/loader:822:12)\n    at Module.require (node:internal/modules/cjs/loader:1005:19)\n    at require (node:internal/modules/cjs/helpers:102:18)\n    at Object.<anonymous> (/Users/aprior/dev/woodpecker/node_modules/got/dist/source/core/index.js:14:28)\n    at Module._compile (node:internal/modules/cjs/loader:1103:14)\n    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1157:10)\n    at Module.load (node:internal/modules/cjs/loader:981:32)\n    at Function.Module._load (node:internal/modules/cjs/loader:822:12)\n    at Module.require (node:internal/modules/cjs/loader:1005:19)\n    at require (node:internal/modules/cjs/helpers:102:18)\n    at Object.<anonymous> (/Users/aprior/dev/woodpecker/node_modules/got/dist/source/as-promise/types.js:14:16)\n    at Module._compile (node:internal/modules/cjs/loader:1103:14)\n    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1157:10)\n    at Module.load (node:internal/modules/cjs/loader:981:32)\n    at Function.Module._load (node:internal/modules/cjs/loader:822:12)\n    at Module.require (node:internal/modules/cjs/loader:1005:19)\n    at require (node:internal/modules/cjs/helpers:102:18)\n    at Object.<anonymous> (/Users/aprior/dev/woodpecker/node_modules/got/dist/source/as-promise/index.js:16:17)\n    at Module._compile (node:internal/modules/cjs/loader:1103:14)\n    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1157:10)","service":"@finicity/woodpecker","timestamp":"2022-04-20T20:25:54.856Z","version":"1.27.5"}

@finicity/woodpecker@1.27.5 /Users/aprior/dev/woodpecker
└─┬ forest-express@9.4.4
  └─┬ openid-client@4.2.0
    └─┬ got@11.8.3
      └─┬ cacheable-request@7.0.2
        └─┬ clone-response@1.0.2
          └── mimic-response@1.0.1

This error appears when I install either of the updated patches.

louis · April 21, 2022, 7:27am

Hi @Andrew_Prior let’s try to dig together in more details if that’ s ok with you. I have contacted you in mp to arrange a time slot.

Andrew_Prior · April 25, 2022, 5:24pm

Starting with these deps in my package.json:

"dependencies": {
    "@elastic/elasticsearch": "^7.15.0",
    "@opentelemetry/api": "^1.0.4",
    "@opentelemetry/instrumentation-dns": "^0.27.1",
    "@opentelemetry/instrumentation-express": "^0.28.0",
    "@opentelemetry/instrumentation-graphql": "^0.27.4",
    "@opentelemetry/instrumentation-http": "^0.27.0",
    "@opentelemetry/instrumentation-ioredis": "^0.28.0",
    "@opentelemetry/instrumentation-mysql": "^0.28.0",
    "@opentelemetry/instrumentation-mysql2": "^0.29.0",
    "@opentelemetry/instrumentation-redis": "^0.29.0",
    "@opentelemetry/instrumentation-winston": "^0.27.3",
    "@splunk/otel": "^0.17.0",
    "amqplib": "^0.8.0",
    "aws-sdk": "^2.906.0",
    "bluebird": "^3.5.5",
    "body-parser": "^1.19.2",
    "cookie-parser": "^1.4.5",
    "cors": "^2.8.5",
    "csvtojson": "^2.0.10",
    "dotenv": "^14.3.2",
    "express-jwt": "^6.1.1",
    "express-xml-bodyparser": "^0.3.0",
    "forest-express": "^9.2.5",
    "forest-express-sequelize": "^8.5.3",
    "fuse.js": "^3.6.1",
    "helmet": "^4.6.0",
    "http-terminator": "^3.0.0",
    "ioredis": "^4.27.5",
    "joi": "^17.6.0",
    "js-yaml": "^4.1.0",
    "lodash": "^4.17.21",
    "morgan": "^1.10.0",
    "multer": "^1.4.2",
    "mysql2": "^1.6.1",
    "opentelemetry-instrumentation-amqplib": "^0.27.0",
    "opentelemetry-instrumentation-elasticsearch": "^0.27.0",
    "opentelemetry-instrumentation-sequelize": "^0.27.0",
    "re2": "^1.17.4",
    "request": "^2.88.2",
    "request-promise": "^4.2.6",
    "request-promise-native": "^1.0.9",
    "s": "^1.0.0",
    "sequelize": "^6.11.0",
    "sequelize-cli": "^6.2.0",
    "serve-favicon": "^2.5.0",
    "signalfx": "^7.3.0",
    "superagent": "^7.1.2",
    "swagger-ui-express": "^4.1.6",
    "url-parse": "^1.5.1",
    "uuid": "^8.3.2",
    "winston": "^3.6.0",
    "workerpool": "^5.0.4",
    "xml2js": "^0.4.23"
  }

I do a npm i --production ( I have also tried npm i and npm ci) I get

Error: Cannot find module 'mimic-response'

If I update forest-express-sequelize to ^8.5.4 and remove the unneeded forest-express package… I still get the error.

To resolve this, I have to install mimic-response. I then immediately uninstall mimic-response and when I run the application, I do not get any error.

I have decided that this is most likely an issue with npm. I am using npm 8.5.0 and node 16.14.2.

Topic		Replies	Views
Unable to install express-jwt as dependency package after updating forest-express-sequelize package to latest version i.e. 8.5.4 Help me!	7	340	May 10, 2022
Need to address high vulnerability inside lumber-forestadmin npm package Help me!	5	410	November 20, 2020
CVE-2022-31129 vulnerability for moment package in forest-express-mongoose Help me!	3	337	July 26, 2022
Forest dependencies are vulnerable Help me!	5	91	February 23, 2024
Express-JWT package update issue Help me!	3	95	May 24, 2024