chore(TMC-27581): security issue in redux storage decorator filter #5313

VolodymyrKovalM · 2024-05-21T08:17:54Z

What is the problem this PR is trying to solve?
Lodash per method packages are not maintained anymore, but still, lodash.set is used in "redux-storage-decorator-filter", which is used in TUI CMF

There is a security issue detected in lodash.set, and, since per method packages are not maintained, and "redux-storage-decorator-filter" seems also not maintained, we need to refactor CMF

https://jira.talendforge.org/browse/TMC-27581

What is the chosen solution to this problem?
As Redux storage functions in CMF are marked as deprecated, we can choose to refactor and remove this part

Looking through all Talend repositories, currently CMF Redux storage is used in

Semantic in ui-ee
ui-schema repository
ui-semantic repository (seems not maintained, has been moved to ui-ee repository, so, it is the same as Semantic in ui-ee)

Redux storage usage has been removed from Semantic in ui-ee in https://github.com/Talend/ui-ee/pull/1065

ui-schema repository, seems not used anywhere

So, seems Redux storage usage can be removed from CMF

Please check if the PR fulfills these requirements

The PR have used yarn changeset to a request a release from the CI if wanted.
The PR commit message follows our guidelines
Tests for the changes have been added (for bug fixes / features) And non reg done before need review
Docs have been added / updated (for bug fixes / features)
Related design / discussions / pages (not in jira), if any, are all linked or available in the PR

[ ] This PR introduces a breaking change

…curity-issue-in-redux-storage-decorator-filter

github-actions · 2024-05-21T08:27:28Z

5313

Demo is available here

github-actions · 2024-05-21T08:29:50Z

Title	Statements	Branches	Functions
assets-api	28.4% (25/88)	30.76% (16/52)	21.42% (3/14)
cmf	89.18% (1237/1387)	80.88% (605/748)	89.28% (350/392)
cmf-cqrs	87.43% (160/183)	70.23% (59/84)	84.21% (48/57)
cmf-router	69.23% (135/195)	55.71% (78/140)	56.81% (25/44)
components	90.81% (5519/6077)	81.85% (3194/3902)	88.19% (1390/1576)
containers	83.71% (1388/1658)	74.81% (692/925)	75.17% (327/435)
dataviz	85.44% (323/378)	66.66% (160/240)	75.79% (119/157)
design-system	67% (1005/1500)	50.47% (527/1044)	54.54% (216/396)
faceted-search	85.69% (677/790)	79.31% (303/382)	82.63% (238/288)
flow-designer	70.07% (651/929)	66.72% (355/532)	70.92% (200/282)
forms	85.79% (1637/1908)	75.69% (925/1222)	84.24% (460/546)
http	100% (85/85)	98.07% (51/52)	100% (34/34)
sagas	92.3% (24/26)	66.66% (4/6)	50% (2/4)
stepper	81.52% (150/184)	59.34% (54/91)	80.85% (38/47)
utils	100% (73/73)	90.9% (10/11)	100% (24/24)

github-actions · 2024-05-21T08:33:07Z

Size Change: -273 kB (-2%)

Total Size: 17.4 MB

Filename	Size	Change
`./packages/cmf/dist/TalendReactCmf.js`	576 kB	-230 kB (-29%)	🎉
`./packages/cmf/dist/TalendReactCmf.min.js`	108 kB	-42.8 kB (-28%)	🎉

ℹ️ View Unchanged

Filename	Size
`./packages/assets-api/dist/TalendAssetsApi.js`	7.15 kB
`./packages/assets-api/dist/TalendAssetsApi.js.dependencies.json`	2 B
`./packages/assets-api/dist/TalendAssetsApi.min.js`	3.33 kB
`./packages/assets-api/dist/TalendAssetsApi.min.js.dependencies.json`	2 B
`./packages/cmf-cqrs/dist/TalendReactCmfCqrs.js`	277 kB
`./packages/cmf-cqrs/dist/TalendReactCmfCqrs.js.dependencies.json`	595 B
`./packages/cmf-cqrs/dist/TalendReactCmfCqrs.min.js`	54.6 kB
`./packages/cmf-cqrs/dist/TalendReactCmfCqrs.min.js.dependencies.json`	614 B
`./packages/cmf-router/dist/TalendReactCmfRouter.js`	163 kB
`./packages/cmf-router/dist/TalendReactCmfRouter.js.dependencies.json`	1.25 kB
`./packages/cmf-router/dist/TalendReactCmfRouter.min.js`	12.8 kB
`./packages/cmf-router/dist/TalendReactCmfRouter.min.js.dependencies.json`	1.29 kB
`./packages/cmf/dist/TalendReactCmf.js.dependencies.json`	1.31 kB
`./packages/cmf/dist/TalendReactCmf.min.js.dependencies.json`	1.35 kB
`./packages/components/dist/TalendReactComponents.css`	397 kB
`./packages/components/dist/TalendReactComponents.js`	4.85 MB
`./packages/components/dist/TalendReactComponents.js.dependencies.json`	3.21 kB
`./packages/components/dist/TalendReactComponents.min.css`	212 kB
`./packages/components/dist/TalendReactComponents.min.js`	1.29 MB
`./packages/components/dist/TalendReactComponents.min.js.dependencies.json`	3.29 kB
`./packages/containers/dist/TalendReactContainers.css`	2.99 kB
`./packages/containers/dist/TalendReactContainers.js`	706 kB
`./packages/containers/dist/TalendReactContainers.js.dependencies.json`	1.4 kB
`./packages/containers/dist/TalendReactContainers.min.css`	1.78 kB
`./packages/containers/dist/TalendReactContainers.min.js`	136 kB
`./packages/containers/dist/TalendReactContainers.min.js.dependencies.json`	1.45 kB
`./packages/dataviz/dist/TalendReactDataviz.css`	28.1 kB
`./packages/dataviz/dist/TalendReactDataviz.js`	370 kB
`./packages/dataviz/dist/TalendReactDataviz.js.dependencies.json`	1.15 kB
`./packages/dataviz/dist/TalendReactDataviz.min.css`	12.2 kB
`./packages/dataviz/dist/TalendReactDataviz.min.js`	59.5 kB
`./packages/dataviz/dist/TalendReactDataviz.min.js.dependencies.json`	1.19 kB
`./packages/design-system/dist/TalendDesignSystem.css`	332 kB
`./packages/design-system/dist/TalendDesignSystem.js`	1.43 MB
`./packages/design-system/dist/TalendDesignSystem.js.dependencies.json`	1.49 kB
`./packages/design-system/dist/TalendDesignSystem.min.css`	215 kB
`./packages/design-system/dist/TalendDesignSystem.min.js`	288 kB
`./packages/design-system/dist/TalendDesignSystem.min.js.dependencies.json`	1.53 kB
`./packages/design-tokens/dist/TalendDesignTokens.css`	79.1 kB
`./packages/design-tokens/dist/TalendDesignTokens.js`	39.7 kB
`./packages/design-tokens/dist/TalendDesignTokens.js.dependencies.json`	2 B
`./packages/design-tokens/dist/TalendDesignTokens.min.css`	75 kB
`./packages/design-tokens/dist/TalendDesignTokens.min.js`	33.4 kB
`./packages/design-tokens/dist/TalendDesignTokens.min.js.dependencies.json`	2 B
`./packages/faceted-search/dist/TalendReactFacetedSearch.css`	19.1 kB
`./packages/faceted-search/dist/TalendReactFacetedSearch.js`	751 kB
`./packages/faceted-search/dist/TalendReactFacetedSearch.js.dependencies.json`	1.54 kB
`./packages/faceted-search/dist/TalendReactFacetedSearch.min.css`	6.28 kB
`./packages/faceted-search/dist/TalendReactFacetedSearch.min.js`	148 kB
`./packages/faceted-search/dist/TalendReactFacetedSearch.min.js.dependencies.json`	1.59 kB
`./packages/flow-designer/dist/TalendReactFlowDesigner.min.js`	50.7 kB
`./packages/flow-designer/dist/TalendReactFlowDesigner.min.js.dependencies.json`	1.25 kB
`./packages/forms/dist/TalendReactForms.css`	19.7 kB
`./packages/forms/dist/TalendReactForms.js`	1.05 MB
`./packages/forms/dist/TalendReactForms.js.dependencies.json`	1.36 kB
`./packages/forms/dist/TalendReactForms.min.css`	6.13 kB
`./packages/forms/dist/TalendReactForms.min.js`	320 kB
`./packages/forms/dist/TalendReactForms.min.js.dependencies.json`	1.39 kB
`./packages/http/dist/TalendHttp.js`	24.8 kB
`./packages/http/dist/TalendHttp.js.dependencies.json`	2 B
`./packages/http/dist/TalendHttp.min.js`	5.31 kB
`./packages/http/dist/TalendHttp.min.js.dependencies.json`	2 B
`./packages/icons/dist/bundle.js`	1.26 kB
`./packages/icons/dist/info.js`	26.8 kB
`./packages/icons/dist/react.esm.js`	614 kB
`./packages/icons/dist/react.js`	654 kB
`./packages/icons/dist/talend-icons-webfont.css`	18.3 kB
`./packages/icons/dist/talendicons.css`	334 B
`./packages/icons/dist/TalendIcons.js`	786 kB
`./packages/icons/dist/TalendIcons.js.dependencies.json`	128 B
`./packages/icons/dist/TalendIcons.min.js`	636 kB
`./packages/icons/dist/TalendIcons.min.js.dependencies.json`	131 B
`./packages/icons/dist/typeUtils.js`	14.5 kB
`./packages/router-bridge/dist/TalendRouterBridge.js`	134 kB
`./packages/router-bridge/dist/TalendRouterBridge.js.dependencies.json`	1.05 kB
`./packages/router-bridge/dist/TalendRouterBridge.min.js`	21 kB
`./packages/router-bridge/dist/TalendRouterBridge.min.js.dependencies.json`	1.07 kB
`./packages/sagas/dist/TalendReactSagas.js`	10.9 kB
`./packages/sagas/dist/TalendReactSagas.js.dependencies.json`	348 B
`./packages/sagas/dist/TalendReactSagas.min.js`	1.41 kB
`./packages/sagas/dist/TalendReactSagas.min.js.dependencies.json`	360 B
`./packages/stepper/dist/TalendReactStepper.css`	2.41 kB
`./packages/stepper/dist/TalendReactStepper.js`	97 kB
`./packages/stepper/dist/TalendReactStepper.js.dependencies.json`	1.27 kB
`./packages/stepper/dist/TalendReactStepper.min.css`	1.2 kB
`./packages/stepper/dist/TalendReactStepper.min.js`	9.37 kB
`./packages/stepper/dist/TalendReactStepper.min.js.dependencies.json`	1.31 kB
`./packages/storybook-docs/dist/globalStyles.js`	0 B	🆕
`./packages/storybook-docs/dist/globalStyles.min.css`	384 B
`./packages/storybook-docs/dist/managerStyles.js`	0 B	🆕
`./packages/storybook-docs/dist/managerStyles.min.css`	1.5 kB
`./packages/theme/dist/bootstrap.css`	171 kB
`./packages/theme/dist/bootstrap.js`	2.51 kB
`./packages/theme/dist/bootstrap.js.dependencies.json`	3 B

_{compressed-size-action}

Gbacc · 2024-05-21T08:51:43Z

Maybe you will need a changeset ?

jmfrancois

no more users of it so looks good to me.
If used it should have been a major but I will not bother you with that.

VolodymyrKovalM added 2 commits May 21, 2024 11:04

chore(TMC-27581): security issue in redux storage decorator filter

218e815

Merge branch 'master' of github.com:Talend/ui into chore/TMC-27581/se…

a910b17

…curity-issue-in-redux-storage-decorator-filter

VolodymyrKovalM temporarily deployed to pull_request_unsafe May 21, 2024 08:18 — with GitHub Actions Inactive

Gbacc approved these changes May 21, 2024

View reviewed changes

chore(TMC-27581): security issue in redux storage decorator filter

ae33335

VolodymyrKovalM temporarily deployed to pull_request_unsafe May 21, 2024 12:00 — with GitHub Actions Inactive

jmfrancois approved these changes May 21, 2024

View reviewed changes

VolodymyrKovalM temporarily deployed to pull_request_unsafe May 21, 2024 12:44 — with GitHub Actions Inactive

chore(TMC-27581): security issue in redux storage decorator filter

fabb7f3

VolodymyrKovalM merged commit e48ae5f into master May 21, 2024
11 checks passed

VolodymyrKovalM deleted the chore/TMC-27581/security-issue-in-redux-storage-decorator-filter branch May 21, 2024 14:25

VolodymyrKovalM had a problem deploying to pull_request_unsafe May 21, 2024 14:25 — with GitHub Actions Failure

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(TMC-27581): security issue in redux storage decorator filter #5313

chore(TMC-27581): security issue in redux storage decorator filter #5313

VolodymyrKovalM commented May 21, 2024

github-actions bot commented May 21, 2024

github-actions bot commented May 21, 2024 •

edited

Loading

github-actions bot commented May 21, 2024 •

edited

Loading

Gbacc commented May 21, 2024

jmfrancois left a comment

chore(TMC-27581): security issue in redux storage decorator filter #5313

chore(TMC-27581): security issue in redux storage decorator filter #5313

Conversation

VolodymyrKovalM commented May 21, 2024

github-actions bot commented May 21, 2024

github-actions bot commented May 21, 2024 • edited Loading

github-actions bot commented May 21, 2024 • edited Loading

Gbacc commented May 21, 2024

jmfrancois left a comment

Choose a reason for hiding this comment

github-actions bot commented May 21, 2024 •

edited

Loading

github-actions bot commented May 21, 2024 •

edited

Loading