Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency Tree-kill 1.2.1 Vulnerability #16629

Closed
phoenix09208 opened this issue Jan 10, 2020 · 4 comments
Closed

Dependency Tree-kill 1.2.1 Vulnerability #16629

phoenix09208 opened this issue Jan 10, 2020 · 4 comments

Comments

@phoenix09208
Copy link

@phoenix09208 phoenix09208 commented Jan 10, 2020

angular-devkit/build-angular@0.803.22 dependent on Tree-kill 1.2.1,

according to https://www.npmjs.com/advisories/1432, it is prone to command injection, please upgrade dependency to later version. Thanks

@DibyodyutiMondal

This comment has been minimized.

Copy link

@DibyodyutiMondal DibyodyutiMondal commented Jan 12, 2020

This affects angular 9 rc-8 too

@cwilby

This comment has been minimized.

Copy link

@cwilby cwilby commented Jan 13, 2020

A temporary workaround (that also works in situations where package maintainer has yet to release dependencies but y'know, security.)

First, run npm audit to determine which version needs to be fixed.

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Command Injection                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tree-kill                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.2.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @angular-devkit/build-angular [dev]                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @angular-devkit/build-angular > tree-kill                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1432 (hi medium/hackernoon)     │
└───────────────┴──────────────────────────────────────────────────────────────┘

Ok, we need tree-kill@1.2.2.

Go to https://registry.npmjs.org/${PACKAGE}, in this case https://registry.npmjs.org/tree-kill and copy versions.${VERSION}.dist.integrity.

For tree-kill@1.2.2, it's sha512-L0Orpi8qGpRG//Nd+H90vFB+3iHnue1zSSGmNOOCh1GLJ7rUKVwV2HvijphGQS2UmhUZewS9VgvxYIdgr+fG1A==.

Finally, open package-lock.json and change the require version of @angular-devkit/build-angular and the version/integirty for tree-kill.

{
    ...
    "dependencies": {
        "@angular-devkit/build-angular": {
            ...
            "requires": {
                ...
                "tree-kill": "1.2.2"
                ...
            }
            ...
        },
        ...
        "tree-kill": {
            "version": "1.2.2",
            "resolved": "https://registry.npmjs.org/tree-kill/-/tree-kill-1.2.2.tgz",
            "integrity": "sha512-L0Orpi8qGpRG//Nd+H90vFB+3iHnue1zSSGmNOOCh1GLJ7rUKVwV2HvijphGQS2UmhUZewS9VgvxYIdgr+fG1A==",
            "dev": true
        },
        ...
    }
    ...
}

Running npm audit shouldn't find any vulnerabilities if this was the only issue.

                       === npm audit security report ===                        
                                                                                
found 0 vulnerabilities

Some caveats - when the package maintainer updates their package but doesn't update the affected required package, you'll need to do this again. However, if they do update the affected package, you won't need to do any extra work.

@alan-agius4

This comment has been minimized.

Copy link
Collaborator

@alan-agius4 alan-agius4 commented Jan 13, 2020

Fixed via #16634

@alechemy

This comment has been minimized.

Copy link

@alechemy alechemy commented Jan 21, 2020

Is there a plan to issue a security patch that resolves this for 7.x?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.