class-validator icon indicating copy to clipboard operation
class-validator copied to clipboard

Published 20 hours ago verified publisher icon typestack

Class-validator vulnerabilities

Open msmadja-dev opened this issue 2 years ago • 9 comments

Description

Recently found for class-validator critical vulnerability issue: https://snyk.io/vuln/npm:class-validator.

Class-validator is a decorator-based property validation for classes.

Affected versions of this package are vulnerable to Improper Input Validation via bypassing the input validation in validate(), which can lead to cross-site scripting (XSS) or SQL injection. NOTE: There is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass.

AR: Found vulnerability when running npm audit. ER: No vulnerability found.

msmadja-dev avatar Dec 09 '21 11:12 msmadja-dev

Facing the same issue on Snyk Test - https://snyk.io/vuln/SNYK-JS-CLASSVALIDATOR-1730566

gokuldeep-kk avatar Dec 30 '21 11:12 gokuldeep-kk

Any timeframe when this critical vulnerability will be assigned for fix?

rick-aguayo avatar Jan 24 '22 19:01 rick-aguayo

+1 to have this fix

SandraShklyaeva avatar Feb 01 '22 12:02 SandraShklyaeva

Any updates regarding this?

razvanmihaimarin avatar Feb 18 '22 08:02 razvanmihaimarin

When are we planning to take this up? This is also throwing vulnerabilities on AWS ECR after enabling image scanning.

narensgh avatar Feb 22 '22 06:02 narensgh

Any updates on this? I really really really don't want to have to rip this library out and figure out a replacement.

DnOberon avatar Mar 18 '22 18:03 DnOberon

Duplicated of #1422.

Any update on this?

juansedo avatar Apr 20 '22 04:04 juansedo

Hey this is a critical vulnerability can we get some eyes on this?

debragail avatar May 01 '22 04:05 debragail

honestly @juansedo @debragail I'm thinking this package is dead

DnOberon avatar May 01 '22 13:05 DnOberon

@.***浊酒

xujif avatar Oct 11 '22 06:10 xujif

For the people asking if there's any update. I don't think there will be.

However, feel free to use this easy fix:

  1. npm uninstall class-validator
  2. npm install @nestjs/class-validator
  3. search your project for from 'class-validator' and replace it with from '@nestjs/class-validator'

P.S. This is what I did and it fits my project and it doesn't necessarily mean that you should do it or that it's right.

Shereef avatar Nov 09 '22 05:11 Shereef

Duplicate of #1422

braaar avatar Nov 09 '22 06:11 braaar

Closing this. Let's track this in #1422

braaar avatar Nov 16 '22 20:11 braaar

Hi all!

Sorry for the long overdue update, I would like to chime in to clarify a few things.

First of all, as mentioned before in other threads the reported issue is not a security vulnerability in the sense that you can defend against it by specifying the forbidUnknownValues: true option.

I still think this was opened by mistake and it's the same as if I would open a vulnerability report on NodeJS saying "if I turn off the server the NodeJS application crashes". The valid (and fixed) problem was in the class-transformer package that I fixed in a rather speedy manner in under 10 days from disclosure. (The fastest fix from the 3 affected packages.) That issue was properly reported privately to me with a pentest report explaining the attack vector.

A second problem is that for this vulnerability I was never provided a reproducible test case officially, saying: this is what failing and needs to be fixed. The closest to an official example is from the issue in this repository that is linked in the security reports: #438. Running that example code shows the issue is fixed for almost a year now.

Code snippet from #438 
import { validate, IsInt, Length, IsEmail, IsFQDN, IsDate, Min, Max } from "class-validator"; 
import { plainToClass } from "class-transformer";

class Post {
  @Length(10, 20) 
  title: string; 
  
  @IsInt() 
  @Min(0) 
  @Max(10) 
  rating: number; 
  
  @IsEmail() 
  email: string; 
  
  @IsFQDN() 
  site: string; 
  
  @IsDate() 
  createDate: Date;
}

let userJson = JSON.parse('{"title":1233, "proto":{}}'); // a malformed input 
let users = plainToClass(Post, userJson);

validate(users, { forbidUnknownValues: true }).then(errors => { // errors is an array of validation errors 
  if (errors.length > 0) { 
    console.log("validation failed. errors: ", errors); 
  } else { 
    console.log("validation succeed"); 
  } 
});

This code fails with validation errors as expected.

So you may ask why the security advisory is still open? That's the million-dollar question, and the answer is that when you try to write to someone they will redirect to someone else who will redirect to someone else who will redirect to the first org. It's a circle and everybody says: "sorry I just source my data from someone else", I cannot do anything for you.

Another contributor tried to write to them, and I have tried to write to them. No success.

The mistake I made was that after a while I stopped trying. I knew the issue don't exist so I am using it without worrying, but I see how an open critical advisory is scary for others.

To sum up my plan for going at it again:

  • I will flip the default settings for forbidUnknownValues and make a release so there is literally zero ground to say this is a vulnerability
  • I will try to contact the SNYK and other organizations again to tell them the issue is not present
  • I will repeat step two until someone actually can update the security advisory

Also, it is worth noting that the other package under the NestJS org doesn't fix any issues. The security warning is not present there because it has a different name, not because the "problem is fixed".

PS: As @braaar mentioned, this is tracked in another issue now, please subscribe to that for future changes.

NoNameProvided avatar Nov 17 '22 02:11 NoNameProvided

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

github-actions[bot] avatar Dec 18 '22 00:12 github-actions[bot]