buttercup-mobile
buttercup-mobile copied to clipboard
buttercup
Security Issues
** Describe the issue you're having **
Multiple security issues exist
** What OS version are you using **
Irrelevant b/c I ran a security scanner on the dependencies. Not related to OS
** What device are you using **
Irrelevant b/c I ran a security scanner on the dependencies. Not related to device.
Findings:
Using snyk on the master branch exposed multiple security issues:
Tested 948 dependencies for known issues, found 9 issues, 3853 vulnerable paths.
Issues to fix by upgrading:
Upgrade [email protected] to [email protected] to fix
✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381] in [email protected]
introduced by [email protected] > @react-native-community/[email protected] > [email protected] > [email protected] > [email protected] and 5 other path(s)
Patchable issues:
Patch available for [email protected]
✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/SNYK-JS-LODASH-567746] in [email protected]
introduced by [email protected] > [email protected] and 1329 other path(s)
Patch available for [email protected]
✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://snyk.io/vuln/npm:semver:20150403] in [email protected]
introduced by [email protected] > [email protected] > [email protected]
Issues with no direct upgrade or patch:
✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/SNYK-JS-HAPIHOEK-548452] in @hapi/[email protected]
introduced by [email protected] > @react-native-community/[email protected] > @hapi/[email protected] > @hapi/[email protected] and 1 other path(s)
This issue was fixed in versions: 8.5.1, 9.0.3
✗ Information Exposure [Low Severity][https://snyk.io/vuln/SNYK-JS-KINDOF-537849] in [email protected]
introduced by [email protected] > @react-native-community/[email protected] > [email protected] > [email protected] > [email protected] > [email protected] and 2419 other path(s)
This issue was fixed in versions: 6.0.3
✗ Remote Code Execution (RCE) [High Severity][https://snyk.io/vuln/SNYK-JS-LOGKITTY-568763] in [email protected]
introduced by [email protected] > @react-native-community/[email protected] > [email protected]
No upgrade or patch available
✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/SNYK-JS-MINIMIST-559764] in [email protected]
introduced by [email protected] > @react-native-community/[email protected] > [email protected] and 87 other path(s)
This issue was fixed in versions: 0.2.1, 1.2.3
✗ Uninitialized Memory Exposure [Medium Severity][https://snyk.io/vuln/npm:bl:20160119] in [email protected]
introduced by [email protected] > [email protected] > [email protected]
This issue was fixed in versions: 0.9.5, 1.0.1
✗ Denial of Service (DoS) [Medium Severity][https://snyk.io/vuln/npm:mem:20180117] in [email protected]
introduced by [email protected] > @react-native-community/[email protected] > [email protected] > [email protected] > [email protected] > [email protected] and 3 other path(s)
This issue was fixed in versions: 4.0.0
Suggested Actions
I highly suggest the team integrate security scanners into the CI / build pipeline. I was also unable to find the build pipeline. Post-install scripts are a common attack vector. These should also be disabled for all production builds.
I hear you. The build process is the worst on mobile out of our apps, and could do with an improved configuration and update procedure.
The issue I see is primarily one of effort - I don't have the time to perform regular maintenance for updates to React Native (the main culprit). The prototype pollution stuff will never fully disappear so I'd worry less about that. Not all vulnerabilities present in package reporting tools are relevant to the application itself. Agreed on the postinstall point, though this too is difficult to avoid as it requires very thorough grooming of packages that don't require postinstall scripts. Right now React-native needs several to be configured correctly.
The prototype pollution stuff will never fully disappear so I'd worry less about that.
This is a dangerous thing to say, it should disappear. Prototype pollution makes it so a bug in one package can spread to the whole codebase, so it's something I'd rather not see in a security/privacy focused app.
(how is it that in 2020 people still use lodash is beyond my comprehension, and it's usually lodash that's the problem)
I can provide a PR for this (and re-do it periodically after new RN drops if you don't have the time), but sadly I don't see any tests in this project, so making sure everything works may take some time. As for postinstall (or any scripts at all) when you can't disable them: I'd suggest auditing any that are there at the moment, pinning packages that have them and re-audit on each upgrade.
