Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

阿里云检测漏洞 #5239

Closed
Elric-pp opened this issue Jul 20, 2023 · 4 comments
Closed

阿里云检测漏洞 #5239

Elric-pp opened this issue Jul 20, 2023 · 4 comments
Assignees
@fengmk2
Labels
core: httpclient

Comments

@Elric-pp
Copy link

在此输入你需要反馈的 Bug 具体信息(Bug in Detail):

  1. 目前 eggjs 依赖了 urllib,里面依赖 vm2,存在漏洞
  2. https://avd.aliyun.com/detail/CVE-2023-37466?spm=0.2020520154.sas.6.ef34rBjvrBjvo4&lang=zh

可复现问题的仓库地址(Reproduction Repo)

https://github.com/eggjs

Node 版本号:

v20.4

Eggjs 版本号:

3.17.3

相关插件名称与版本号(PlugIn and Name):

none

操作平台与版本号(Platform and Version):

alpine
@fengmk2 fengmk2 self-assigned this Jul 23, 2023
@fengmk2
Copy link
Member

fengmk2 commented Jul 23, 2023

请设置 https://github.com/eggjs/egg/blob/master/config/config.default.js#L321 config.httpclient.useHttpClientNext = true,就不会使用 urllib2。
目前 vm2 在 urllib2 是 proxy-agent 间接依赖的,不走代理不会使用到。

fengmk2 added a commit to node-modules/urllib that referenced this issue Jul 23, 2023
@fengmk2
feat: avoid deps vm2
f3d2714 
move proxy-agent to peerDependencies and make it optional

closes eggjs/egg#5239
@fengmk2 fengmk2 mentioned this issue Jul 23, 2023
Merged
fengmk2 added a commit to node-modules/urllib that referenced this issue Jul 28, 2023
@fengmk2
feat: avoid deps vm2 (#457)
9dbcc78 
move proxy-agent to peerDependencies and make it optional

closes eggjs/egg#5239
@fengmk2
Copy link
Member

fengmk2 commented Jul 28, 2023

node-modules/urllib#457

@fengmk2 fengmk2 closed this as completed Jul 28, 2023
@CzyYYDS
Copy link

CzyYYDS commented Aug 22, 2023

请设置 https://github.com/eggjs/egg/blob/master/config/config.default.js#L321 config.httpclient.useHttpClientNext = true,就不会使用 urllib2。 目前 vm2 在 urllib2 是 proxy-agent 间接依赖的,不走代理不会使用到。

请问下大佬egg项目需要更新urllib 版本吗,还是说直接设置useHttpClientNext就好了

@fengmk2
Copy link
Member

fengmk2 commented Aug 22, 2023

请设置 https://github.com/eggjs/egg/blob/master/config/config.default.js#L321 config.httpclient.useHttpClientNext = true,就不会使用 urllib2。 目前 vm2 在 urllib2 是 proxy-agent 间接依赖的,不走代理不会使用到。

请问下大佬egg项目需要更新urllib 版本吗,还是说直接设置useHttpClientNext就好了

重新安装 egg 依赖就可以了,urllib2 最新版本也已经修复了。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fengmk2 fengmk2

Labels
core: httpclient
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fengmk2 @Elric-pp @CzyYYDS