cors-proxy icon indicating copy to clipboard operation
cors-proxy copied to clipboard

Published 20 hours ago verified publisher icon isomorphic-git

Security concerns related to cors-proxy

Open DavidBruant opened this issue 1 year ago • 0 comments
trafficstars

Context

The git proxy is security-sensitive, because credentials are passed to it as plaintext via calls from most methods using onAuth (but in practice, mostly push calls)

If an attacker can place themselves in the proxy, they can breach the confidentiality of the credentials by reading them. They can then send them wherever they please and then act maliciously as the user the credentials represent

This can happen, for instance, if there is an RCE vulnerability anywhere in the stack, for instance, in Node.js or in the micro dependency

It can also happen as a result of a prototype pollution vulnerability somewhere (a thorough analysis would be required to assess whether the threat is likely)

First-order analysis

I tried to assess whether the threat would be likely at a first glance

Node.js version

I see the Node.js version in the Docker image is 8

https://github.com/isomorphic-git/cors-proxy/blob/65e7d3413ec434ae17017849204d84254c9a8309/Dockerfile#L1

This version stopped receiving security updates on 2019-12-31, 4 years ago.

This doesn't mean the proxy is vulnerable per se, but does not smell good

npm install

A fresh clone and npm install gives:

75 vulnerabilities (1 low, 22 moderate, 43 high, 9 critical)

After an npm audit fix, the result is :

41 vulnerabilities (14 moderate, 27 high)

Lots of ReDoS and some prototype pollution

This doesn't mean the proxy is vulnerable per se, but does not smell good

micro dependency

This proxy is mostly [email protected]. It was released in 2018 and a newer version is available

This would probably partially solve the security issues of the previous sections

Solutions

  • [ ] The fact that the proxy is security-sensitive should probably be documented somewhere, so people came make informed decisions (i can send a PR to the readme)
  • [ ] update node.js requirements to the latest LTS. In package.json as well as in the Dockerfile (and the azure config file ?)
  • [ ] update micro dependency
  • [ ] update package.json and package-lock.json to be in a place where npm audit stops reporting problems (or the remaining vulnerabilities are demonstrated to not affect cors-proxy)

I'm happy to send PRs with all this to begin with

DavidBruant avatar Jan 20 '24 14:01 DavidBruant