node-red-nodes icon indicating copy to clipboard operation
node-red-nodes copied to clipboard

Published 20 hours ago verified publisher icon node-red

node-red-node-sqlite 1.0.1 reports 5 high severity vulnerabilities

Open pierredewilde opened this issue 4 years ago • 3 comments 

Node-RED v2.0.6

$ node -v
v14.18.1

$ npm -v
6.14.15

$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
found 0 vulnerabilities
 in 178 scanned packages

$ npm install node-red-node-sqlite
npm WARN deprecated [email protected]: This version of tar is no longer supported, and will not receive security updates. Please upgrade asap.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: this library is no longer supported

> [email protected] install /Users/Pierre/.node-red/node_modules/sqlite3
> node-pre-gyp install --fallback-to-build

node-pre-gyp WARN Using request for node-pre-gyp https download 
[sqlite3] Success: "/Users/Pierre/.node-red/node_modules/sqlite3/lib/binding/napi-v3-darwin-x64/node_sqlite3.node" is installed via remote
+ [email protected]
added 82 packages from 161 contributors and audited 260 packages in 10.746s

5 packages are looking for funding
  run `npm fund` for details

found 5 high severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Creation/Overwrite on Windows via             │
│               │ insufficient relative path sanitization                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.18                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-red-node-sqlite                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-red-node-sqlite > sqlite3 > node-gyp > tar              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-5955-9wpr-37jh            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Creation/Overwrite via insufficient symlink   │
│               │ protection due to directory cache poisoning using symbolic   │
│               │ links                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.18                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-red-node-sqlite                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-red-node-sqlite > sqlite3 > node-gyp > tar              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-qq89-hq3f-393p            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Creation/Overwrite via insufficient symlink   │
│               │ protection due to directory cache poisoning using symbolic   │
│               │ links                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.16                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-red-node-sqlite                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-red-node-sqlite > sqlite3 > node-gyp > tar              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-9r2w-394v-53qc            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Creation/Overwrite due to insufficient        │
│               │ absolute path sanitization                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.2.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-red-node-sqlite                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-red-node-sqlite > sqlite3 > node-gyp > tar              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-3jfq-g458-7qm9            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Creation/Overwrite via insufficient symlink   │
│               │ protection due to directory cache poisoning                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.2.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-red-node-sqlite                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-red-node-sqlite > sqlite3 > node-gyp > tar              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-r628-mhmh-qjhw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 5 high severity vulnerabilities in 260 scanned packages
  5 vulnerabilities require manual review. See the full report for details.

Environment:

  • [ ] Node-RED 2.0.6
  • [ ] node-red-node-sqlite 1.0.1
  • [ ] node.js 14.18.1
  • [ ] npm 6.14.15
  • [ ] macOS 10.15.7
  • [ ] Chrome 95.0.4638.54

pierredewilde avatar Oct 20 '21 21:10 pierredewilde

These all stem from the required sqlite3 package. We are using version 5.0.3 which is the latest available.

There is already an upstream issue for this and a PR to fix it that has been merged but appears not to have been released yet.

Until this ships there is nothing we can do about it.

Also as the tar package is only used during building the node (using node-gyp) when it is installed it is very unlikely to present any problems during use.

hardillb avatar Oct 20 '21 21:10 hardillb

@hardillb is this something we can address now?

Steve-Mcl avatar Aug 14 '22 10:08 Steve-Mcl

Yes, we can probably bump it

hardillb avatar Aug 14 '22 21:08 hardillb