sonar-scanner-npm icon indicating copy to clipboard operation
sonar-scanner-npm copied to clipboard

Published 20 hours ago verified publisher icon bellingard

NPM Audit - High Vulberability - Due to use of 'Download > Decompress' package

Open erineland opened this issue 5 years ago • 4 comments

When running NPM audit this morning, there is a high vulnerability on this package, due to it's use of the 'download' and 'decompress' packages.

NPM says there is no solution to this vulnerability, and to just not use the decompress package:

https://npmjs.com/advisories/1217

JSON Output from NPM audit for the sonarqube-scanner module:

"1217": {
            "findings": [
                {
                    "version": "4.2.0",
                    "paths": [
                        "sonarqube-scanner>download>decompress"
                    ]
                }
            ],
            "id": 1217,
            "created": "2019-10-15T20:29:24.598Z",
            "updated": "2020-02-26T21:44:26.745Z",
            "deleted": null,
            "title": "Arbitrary File Write",
            "found_by": {
                "link": "https://www.arnflo.se",
                "name": "Oscar Arnflo",
                "email": ""
            },
            "reported_by": {
                "link": "https://www.arnflo.se",
                "name": "Oscar Arnflo",
                "email": ""
            },
            "module_name": "decompress",
            "cves": [],
            "vulnerable_versions": ">=0.0.0",
            "patched_versions": "<0.0.0",
            "overview": "All versions of `decompress` are vulnerable to Arbitrary File Write. The package fails to prevent extraction of files with relative paths, allowing attackers to write to any folder in the system by including filenames containing`../`.",
            "recommendation": "No fix is currently available. Consider using an alternative package until a fix is made available.",
            "references": "- [GitHub Issue](https://github.com/kevva/decompress/issues/71)",
            "access": "public",
            "severity": "high",
            "cwe": "CWE-59",
            "metadata": {
                "module_type": "",
                "exploitability": 5,
                "affected_components": ""
            },
            "url": "https://npmjs.com/advisories/1217"
        }

erineland avatar Feb 27 '20 11:02 erineland

Temporary fix until the package is fixed:

yarn run improved-yarn-audit

yarn run improved-yarn-audit --exclude 1217

felixgourdeau avatar Feb 27 '20 18:02 felixgourdeau

Another temporary solution to exclude the advisory if you are using npm: npm install --save-dev better-npm-audit

Add it as script to the package.json:

  "scripts": {
      "audit": "node node_modules/better-npm-audit audit"
      .....
  }

running audit with excluded advisory: npm run audit -- -i 1217

laberning avatar Mar 02 '20 07:03 laberning

Thanks @arcadia168 for reporting this! I have no bandwidth to replace download and decompress packages for now. Will see later unless someone provides a PR for this.

bellingard avatar Mar 24 '20 22:03 bellingard

Github's dependabot is alerting people with a dependency on sonarqube-scanner for this.

richmidwinter avatar Sep 03 '20 12:09 richmidwinter

Hi, this should be fixed with the latest release 2.8.2: https://github.com/bellingard/sonar-scanner-npm/releases/tag/2.8.2

gabssnake avatar Sep 26 '22 14:09 gabssnake