cypress icon indicating copy to clipboard operation
cypress copied to clipboard

Published 20 hours ago verified publisher icon cypress-io

Vulnerability Issue reported for tough-cookie, latest version of @cypress/request is dependent of [email protected]

Open Kathuria opened this issue 1 year ago • 3 comments

Current behavior

It's working fine but having vulnerability issue on package @cypress/request or others consuming [email protected] which is <4.1.3

Desired behavior

Upgrade tough-cookie version to [email protected] for all packages having dependencies on this

Here is an example from latest tag, yarn-lock

"@cypress/request@^2.88.11": version "2.88.11" resolved "https://registry.yarnpkg.com/@cypress/request/-/request-2.88.11.tgz#5a4c7399bc2d7e7ed56e92ce5acb620c8b187047" integrity sha512-M83/wfQ1EkspjkE2lNWNV5ui2Cv7UCv1swW1DqljahbzLVWltcsexQh8jYtuS/vzFXP+HySntGM83ZXA9fn17w== dependencies: aws-sign2 "~0.7.0" aws4 "^1.8.0" caseless "~0.12.0" combined-stream "~1.0.6" extend "~3.0.2" forever-agent "~0.6.1" form-data "~2.3.2" http-signature "~1.3.6" is-typedarray "~1.0.0" isstream "~0.1.2" json-stringify-safe "~5.0.1" mime-types "~2.1.19" performance-now "^2.1.0" qs "~6.10.3" safe-buffer "^5.1.2" tough-cookie "~2.5.0" tunnel-agent "^0.6.0" uuid "^8.3.2"

Test code to reproduce

NA

Cypress Version

12.17.1

Node version

v16.15.0

Operating System

windows

Debug Logs

NA

Other

No response

Kathuria avatar Jul 10 '23 20:07 Kathuria

@Kathuria

  • There is a related PR https://github.com/cypress-io/cypress/pull/27242

MikeMcC399 avatar Jul 11 '23 07:07 MikeMcC399

@MikeMcC399 it should be noted that @cypress/request is affected by this: https://github.com/cypress-io/request/issues/31

So I am not sure if the PR you linked is sufficient for this issue.

https://github.com/cypress-io/cypress/pull/27005 also required the request package to be updated.

BreakBB avatar Jul 11 '23 09:07 BreakBB

@BreakBB

So I am not sure if the PR you linked is sufficient for this issue.

You're right. npm audit shows the following for [email protected] (current latest version):

$ npm audit
# npm audit report

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/tough-cookie
  @cypress/request  *
  Depends on vulnerable versions of tough-cookie
  node_modules/@cypress/request
    cypress  >=4.3.0
    Depends on vulnerable versions of @cypress/request
    node_modules/cypress

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

MikeMcC399 avatar Jul 11 '23 11:07 MikeMcC399

Any news or estimate on this?

It seems like a very small change without many risks and the PRs are already there 🤔

I am not sure if this is something worth reporting as Security Issue.

EDIT: A security issue as mail has been sent.

BreakBB avatar Jul 20 '23 09:07 BreakBB

NOTE: This is a temporarily work around with npm until tough-cookie dependency version bump is merged. Add the following to package.json:

"overrides": {
  "tough-cookie": "^4.1.3"
}

Source: https://github.com/cypress-io/request/pull/32#issuecomment-1633793413

TheLandolorien avatar Jul 30 '23 13:07 TheLandolorien

  • I can see https://github.com/cypress-io/request/pull/32 has now been merged, however I don't see a new @cypress/request release. At the moment the latest release is v2.88.11 from Jan 11, 2023.

Edit: Now v2.88.12 has been published.

MikeMcC399 avatar Aug 01 '23 17:08 MikeMcC399

As v12.17.3 has failed, can we include @cypress/request v2.88.12 in it? Unless you can tag v12.17.4 right after?

Thanks.

nicogominet avatar Aug 01 '23 19:08 nicogominet

@nicogominet

Can you try npm audit fix now?

Even a clean install of an earlier version like Cypress 10.0.0 will pick up the latest version of @cypress/request now.

npx cypress version
Cypress package version: 12.17.3
Cypress binary version: 12.17.3
Electron version: 21.0.0
Bundled Node version:
16.16.0

npm audit
found 0 vulnerabilities

Alternatively:

npm update @cypress/request

should also fix things.

MikeMcC399 avatar Aug 01 '23 21:08 MikeMcC399

@MikeMcC399 note that @cypress/request is still vulnerable to https://github.com/advisories/GHSA-p8p7-x288-28g6, it just doesn't show on npm audit because the advisory range doesn't include the new version as vulnerable.

I've opened a PR to update the advisory after which it'll get flagged by dependabot and npm audit again

G-Rath avatar Aug 01 '23 21:08 G-Rath

@G-Rath

note that @cypress/request is still vulnerable to https://github.com/advisories/GHSA-p8p7-x288-28g6, it just doesn't show on npm audit because the advisory range doesn't include the new version as vulnerable.

Understood. This issue was just about tough-cookie.

MikeMcC399 avatar Aug 01 '23 22:08 MikeMcC399

Yup no worries, I just didn't want to risk losing the attention on @cypress/request if the advisory doesn't get updated before this issue is closed :)

G-Rath avatar Aug 01 '23 22:08 G-Rath

@Kathuria

Is this fixed for you now or were you expecting that Cypress would force an update to the corrected version of @cypress/request, which would require bumping the dependency which is used to build the npm cypress module?

https://github.com/cypress-io/cypress/blob/14a7416e126f6b296a2da037ae257c27e7915d5b/cli/package.json#L23

MikeMcC399 avatar Aug 02 '23 08:08 MikeMcC399

@MikeMcC399 I'm using yarn and npm audit fix equivalent did not fix it unfortunately, but a simple yarn upgrade did the trick.

nicogominet avatar Aug 02 '23 14:08 nicogominet

@nicogominet

I'm using yarn and npm audit fix equivalent did not fix it unfortunately, but a simple yarn upgrade did the trick.

Good to hear that you have the fix installed! Each of the different package managers has their own quirks!

I would welcome Cypress bumping the dependency definition (see https://github.com/cypress-io/cypress/issues/27261#issuecomment-1661753588) and I was hoping for some feedback from the original contributor @Kathuria and the issue assignee @cacieprins on this topic. Without this bump there is no clear universal way to ensure that the dependency gets updated for all the different flavors of package managers. If you already have Cypress installed, updating to a newer Cypress version will not normally update the version of @cypress/request to 2.88.12 because the semver is already satisfied by @cypress/[email protected].

MikeMcC399 avatar Aug 02 '23 15:08 MikeMcC399

@Kathuria

Is this fixed for you now or were you expecting that Cypress would force an update to the corrected version of @cypress/request, which would require bumping the dependency which is used to build the npm cypress module?

https://github.com/cypress-io/cypress/blob/14a7416e126f6b296a2da037ae257c27e7915d5b/cli/package.json#L23 @MikeMcC399 : I will be waiting to get final version containing this vulnerability resolution. That would be proper fix going ahead in my project.

Kathuria avatar Aug 02 '23 16:08 Kathuria

@nicogominet

I'm using yarn and npm audit fix equivalent did not fix it unfortunately, but a simple yarn upgrade did the trick.

Good to hear that you have the fix installed! Each of the different package managers has their own quirks!

I would welcome Cypress bumping the dependency definition (see #27261 (comment)) and I was hoping for some feedback from the original contributor @Kathuria and the issue assignee @cacieprins on this topic. Without this bump there is no clear universal way to ensure that the dependency gets updated for all the different flavors of package managers. If you already have Cypress installed, updating to a newer Cypress version will not normally update the version of @cypress/request to 2.88.12 because the semver is already satisfied by @cypress/[email protected].

Agree, Dependencies upgrade would be expected fix for my requirement but open for suggestions also if any alternative way can work until the version is available through cypress patch/release.

Kathuria avatar Aug 02 '23 16:08 Kathuria

@Kathuria

if any alternative way can work until the version is available through cypress patch/release.

One alternative is to manually install @cypress/[email protected].

MikeMcC399 avatar Aug 02 '23 17:08 MikeMcC399

  • The vulnerability reported in https://github.com/cypress-io/request/issues/27 will cause a remaining moderate severity issue "Server-Side Request Forgery in Request" to show up with npm audit. This affects Cypress 12 and earlier versions and updating to @cypress/[email protected] does not resolve the issue.
  • This is a separate issue from the tough-cookie issue (https://github.com/cypress-io/cypress/issues/27261), however it does mean that a vulnerability will still be reported.

MikeMcC399 avatar Aug 03 '23 10:08 MikeMcC399

You can also remove the dependency from the yarn.lock manually or using this script of mine, then running yarn install - that will allow yarn to re-resolve the version based on the constraints.

For completeness:

Package Manager Steps
npm <7 npm_remove_package_from_lock @cypress/request; npm install
npm >6 npm update @cypress/request
yarn yarn_remove_package_from_lock @cypress/request; yarn install
pnpm pnpm update @cypress/request

G-Rath avatar Aug 03 '23 20:08 G-Rath

  • ~~Pending PR https://github.com/cypress-io/cypress/pull/27495 is related to this issue.~~

Edit: Superseded by

  • #27515

MikeMcC399 avatar Aug 10 '23 10:08 MikeMcC399

Released in 12.17.4.

This comment thread has been locked. If you are still experiencing this issue after upgrading to Cypress v12.17.4, please open a new issue.

cypress-bot[bot] avatar Aug 15 '23 20:08 cypress-bot[bot]