express-openapi-validator icon indicating copy to clipboard operation
express-openapi-validator copied to clipboard

Published 20 hours ago verified publisher icon cdimascio

Update path-to-regexp

Open klassm opened this issue 1 year ago • 14 comments

Please update to the current version of path-to-express, to mitigate the security vulnerability described in https://github.com/advisories/GHSA-9wv6-86v2-598j. Fix version should be 8.1.0

Thanks :-)!

klassm avatar Sep 10 '24 07:09 klassm

8.1.0 would probably be best, but yea, to remove the issue 8.0.0 is enough.

Please and thank you 🙌

StevenCederrand avatar Sep 10 '24 08:09 StevenCederrand

v0.1.X also needs to be updated to v1.10.0

https://github.com/advisories/GHSA-9wv6-86v2-598j

Alesyaa103 avatar Sep 10 '24 09:09 Alesyaa103

currently this fails npm audit

npm install express-openapi-validator --save

added 120 packages, and audited 121 packages in 3s

17 packages are looking for funding
  run `npm fund` for details

2 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

ex % npm audit
# npm audit report

path-to-regexp  0.2.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
No fix available
node_modules/express-openapi-validator/node_modules/path-to-regexp
  express-openapi-validator  *
  Depends on vulnerable versions of path-to-regexp
  node_modules/express-openapi-validator

2 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

mmtdm avatar Sep 10 '24 18:09 mmtdm

how to fix this issue. facing same problem

gauravrajpoot-wmp avatar Sep 11 '24 05:09 gauravrajpoot-wmp

Also having issues using this library.

It looks like the automated PR's to update the library failed due to a build issue. https://github.com/cdimascio/express-openapi-validator/pull/967 https://github.com/cdimascio/express-openapi-validator/pull/968

Looks like this might need a code update to account for the new shape of the functions in the new version of the path-to-regexp library. https://github.com/cdimascio/express-openapi-validator/actions/runs/10797834182/job/29949959459?pr=967

frankkeefer avatar Sep 11 '24 14:09 frankkeefer

The update is non-trivial, since newer versions of path-to-regexp don't support any of the tests in test/wildcard.path.params.spec.ts (except for the first test). Began working on this, but since I am not a regular contributor to this repo, I didn't feel I had the authority to decide not to support wildcard features, since technically express does support them.

Express 4.20 is using [email protected]. I attempted to bring that version into this project as well, but it created 300+ test errors for me, so I defer to the package maintainers for the correct approach here.

To get to the point where only 7 wildcard specs are failing, you can bump [email protected], and then make the following changes:

Screenshot 2024-09-11 at 11 00 21 AM Screenshot 2024-09-11 at 11 00 52 AM

Not sure what to do from there apart from just deleting the wildcard functionality, any ideas? Seems to me safest approach would be to go back to [email protected], since express uses that version successfully to parse its routes, and it can handle the same wildcard expressions, but that results in massive failures and I don't have the time to look into them.

avocadojesus avatar Sep 11 '24 18:09 avocadojesus

for version 8.1.0 need to modify code as of now fix version is 6.3.0

cvchauhan avatar Sep 12 '24 09:09 cvchauhan

Following the release of [email protected], which is patched, express-openapi-validator's dependency on path-to-regexp@^6.2.2 should bring in a safe version of path-to-regexp by default. Downstream consumers are unblocked.

s100 avatar Sep 12 '24 10:09 s100

The PR above upgrades to path-to-regex to 6.3.0 which resolves the vulnerability. An upgrade to v8.x is still desired. PRs welcome

cdimascio avatar Sep 12 '24 11:09 cdimascio

Found a way to update the code to support path-to-regexp 8.1.0 https://github.com/cdimascio/express-openapi-validator/pull/976. I had to do a pinch of rework in the openapi.spec.loader.ts to handle some of the new expectations for the 8.1.0 versions in setting up the path models. If the PR needs any adjustments let me know.

frankkeefer avatar Sep 12 '24 14:09 frankkeefer

I did validate that the changes in #976 pass all the current unit tests, and the code changed is covered by the current unit testing. I'm not sure what unit test updates would be needed beyond that.

frankkeefer avatar Sep 12 '24 15:09 frankkeefer

The PR above upgrades to path-to-regex to 6.3.0 which resolves the vulnerability. An upgrade to v8.x is still desired. PRs welcome

https://github.com/cdimascio/express-openapi-validator/pull/975

cvchauhan avatar Sep 12 '24 18:09 cvchauhan

Following the release of [email protected], which is patched, express-openapi-validator's dependency on path-to-regexp@^6.2.2 should bring in a safe version of path-to-regexp by default. Downstream consumers are unblocked.

Pr has been raised already https://github.com/cdimascio/express-openapi-validator/pull/979

cvchauhan avatar Sep 12 '24 18:09 cvchauhan

Since https://github.com/cdimascio/express-openapi-validator/pull/976 is merged, can a new release be made? 🙏🏻

dogmatic69 avatar Sep 17 '24 07:09 dogmatic69

fixed. closing this out

cdimascio avatar Nov 01 '24 00:11 cdimascio