passport-twitter icon indicating copy to clipboard operation
passport-twitter copied to clipboard

Published 20 hours ago verified publisher icon jaredhanson

Security Issue

Open allanice001 opened this issue 3 years ago • 18 comments

Issues with no direct upgrade or patch: ✗ XML External Entity (XXE) Injection [Medium Severity][https://snyk.io/vuln/SNYK-JS-XMLDOM-1084960] in [email protected] introduced by [email protected] > [email protected] > [email protected] This issue was fixed in versions: 0.5.0

Any chance of upgrading the xmldom dependency?

allanice001 avatar Apr 17 '21 22:04 allanice001

The fix need to append on xtraverse first, see PR: https://github.com/jaredhanson/node-xtraverse/pull/1

hthetiot avatar May 20 '21 16:05 hthetiot

The fix need to append on xtraverse first, see PR: jaredhanson/node-xtraverse#1

This lib looks to have last been updated 8 years ago. Perhaps it needs to be forked, or is there any other way to fix this issue here?

dmitrizzle avatar Sep 05 '21 18:09 dmitrizzle

I've done the needful - https://www.npmjs.com/package/xtraverse1

allanice001 avatar Sep 17 '21 01:09 allanice001

Thank you @allanice001

hthetiot avatar Sep 17 '21 09:09 hthetiot

@jaredhanson I know you're around now, you committed to this repo yesterday :smile_cat:

Can you merge jaredhanson/node-xtraverse#1 now? :pray:

julianlam avatar Nov 11 '21 14:11 julianlam

Hello, any news on this matter? I implemented "passport-twitter": "^1.0.4", today and discover that it Depends on vulnerable versions of xmldom. Is it a package people use in production or is there another package somewhere to be used? Thanks!

arnauddsj avatar Jan 16 '22 20:01 arnauddsj

Hello, any news on this matter? I implemented "passport-twitter": "^1.0.4", today and discover that it Depends on vulnerable versions of xmldom. Is it a package people use in production or is there another package somewhere to be used? Thanks!

If you take the time to understand the previous comments in this issue you should understand that the fix is in the way. And asking for an alternative package instead of helping the maintainer to update is not the right way to help an open source librairie in my POV. So be patiente is the best course of action if you are not knowledgeable .

hthetiot avatar Jan 16 '22 22:01 hthetiot

I love OSS, but this issue has been going on for over 6 months, without the current maintainer @jaredhanson taking note of this issue., so in all respect @hthetiot - please advise an alternative - the PRs are done, and unless there are more maintainers to the package, there really is no way forward.

allanice001 avatar Jan 17 '22 15:01 allanice001

Ref:

  • jaredhanson/node-xtraverse/pull/2

Martii avatar Mar 14 '22 08:03 Martii

Any updates on this issue please ?

it-smtech avatar Nov 03 '22 17:11 it-smtech

I've done the needful - https://www.npmjs.com/package/xtraverse1

still no feedback from the original maintainer @jaredhanson

allanice001 avatar Nov 03 '22 20:11 allanice001

Good day, is there an alternative package to use? Seems that the maintainer is unresponsive for a very long time.

Dylankjy avatar Nov 05 '22 12:11 Dylankjy

Alright everyone, I've cloned the two repositories and started their own lifecycle at passportjs I've also created a npm org @passport-js

Right now, you're more than welcome to look at using @passport-js/passport-twitter as a replacement dependency, which consumes the patched traverse package - @passport-js/xtraverse

allanice001 avatar Nov 05 '22 13:11 allanice001

@allanice001 are you part of the passport.js organization?

julianlam avatar Nov 05 '22 14:11 julianlam

@julianlam I am a tenured developer and security professional with over 20 years of experience. the repository owner has not responded to what is IMHO a critical bug in over a year, and everyone here is just pinging a dead thread.

as @dmitrizzle suggested here: https://github.com/jaredhanson/passport-twitter/issues/107#issuecomment-913200011

What I have done is exactly that. clone the repository, and create the new lifecycles. Something it seems like no one else wanted to do.

The GitHub and npm organizations I mentioned are created by myself at the minute, and would love to have maintainers join. I'd be happy to continue this conversation offline or on a different platform

allanice001 avatar Nov 05 '22 16:11 allanice001

@allanice001 thanks for responding, I only raise the concern due to concerns over the software supply chain. It was not meant as an attack on your person 🙂

I was just surprised that you elected to use the passportjs name instead of your own personal fork.

julianlam avatar Nov 05 '22 16:11 julianlam

no worries - the intention is that a community can be built to support it, with multiple leaders, instead of just a single person, and that's what led to my decision not to point to a personal fork.

In the same breath, what happens when I don't respond to security concerns or concerns regarding the maintenance of the packages or other issues that are bound to happen in the future? How does open source survive if it's just one person?

In no way am I trying to nullify what Jared has started, but more looking at a way to improve the status quo for everyone

allanice001 avatar Nov 05 '22 16:11 allanice001

Thank you @allanice001, I was hoping to avoid fork and motivate the maintainer, I was going to fork myself in the end and re-publish on npm, having it under @passportjs umbrella is even better.

Let all move on to https://www.npmjs.com/package/@passport-js/passport-twitter

Cold case close for me.

hthetiot avatar Nov 23 '22 23:11 hthetiot