Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potentially compromised dependency getcookies (via mailparser) #10641

Closed
segphault opened this issue May 2, 2018 · 4 comments · Fixed by #10648
Closed

Potentially compromised dependency getcookies (via mailparser) #10641

segphault opened this issue May 2, 2018 · 4 comments · Fixed by #10648
Assignees
@geekgonecrazy @rodrigok @tostanoski
Milestone
0.64.1

Comments

@segphault
Copy link

Description:

On April 20, a seemingly routine dependency update PR introduced what appears to be a compromised package.

Updating mailparser from version 2.2.0 to 2.2.3 pulled in a transitive dependency called http-fetch-cookies, which has a sub-dependency called express-cookies, which depends on a package called getcookies. The getcookies package apparently has a backdoor (reported here) that looks like it uses the vm module to run arbitrary code provided from a request inside of the application's context.

It appears that npm has since removed http-fetch-cookies, express-cookies, get-cookies and mailparser 2.2.3. According to google cache, mailparser 2.2.3 was published 17 days ago with the added dependency. It's worth noting that mailparser became deprecated last month due to lack of funding, and this compromise seems to have happened since then. As mailparser has 67,000 weekly downloads, this is quite concerning.
@bosko
Copy link

bosko commented May 2, 2018

This makes it impossible to start Rocket.Chat. After cloning project on Ubuntu 16.04 meteor npm install fails with:

npm ERR! 404 Not Found: mailparser@https://registry.npmjs.org/mailparser/-/mailparser-2.2.3.tgz

@evilpacket
Copy link

Here is some more context about the mentioned modules. https://blog.npmjs.org/post/173526807575/reported-malicious-module-getcookies

@faziloub
Copy link

faziloub commented May 3, 2018

same for me but mine its
npm WARN tar ENOENT: no such file or directory, open '/home/Bureau/m/node_modules/.staging/unset-value-4255578a/package.json'
npm WARN tar ENOENT: no such file or directory, open '/home/Bureau/m/node_modules/.staging/unset-value-4255578a/README.md'
npm WARN tar ENOENT: no such file or directory, open '/home/Bureau/m/node_modules/.staging/unset-value-4255578a/LICENSE'
npm WARN tar ENOENT: no such file or directory, open '/home/Bureau/m/node_modules/.staging/unset-value-4255578a/index.js'
npm WARN tar ENOENT: no such file or directory, open '/home/Bureau/m/node_modules/.staging/aws-sdk-8c444618/clients/alexaforbusiness.d.ts'
npm WARN tar ENOENT: no such file or directory, open '/home/Bureau/m/node_modules/.staging/protobufjs-497d90ae/docs/fonts/OpenSans-Regular-webfont.woff'
npm WARN tar ENOENT: no such file or directory, open '/home/Bureau/m/node_modules/.staging/chimp-6e0f149b/images/test-frameworks.png'
npm ERR! code E404
npm ERR! 404 Not Found: mailparser@https://registry.npmjs.org/mailparser/-/mailparser-2.2.3.tgz

@sampaiodiego sampaiodiego mentioned this issue May 3, 2018
Merged
@Sing-Li
Copy link
Member

Sing-Li commented May 3, 2018

Thanks @segphault @bosko @evilpacket and @isabellarussell for reporting this!

@engelgabriel engelgabriel added this to the 0.64.1 milestone May 3, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@geekgonecrazy geekgonecrazy

@rodrigok rodrigok

@tostanoski tostanoski

Labels
None yet
Projects
None yet
Milestone
0.64.1
Development

Successfully merging a pull request may close this issue.

Dependencies update RocketChat/Rocket.Chat
9 participants
@segphault @bosko @geekgonecrazy @evilpacket @Sing-Li @rodrigok @engelgabriel @tostanoski @faziloub