Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High vulnerability ReDoS in normalize-url #11054

Closed
corradin opened this issue Jun 4, 2021 · 4 comments
Closed

High vulnerability ReDoS in normalize-url #11054

corradin opened this issue Jun 4, 2021 · 4 comments
Labels
issue: bug report needs triage

Comments

@corradin
Copy link

corradin commented Jun 4, 2021
edited
Loading

There is a Regular Expression Denial of Service (ReDoS) vulnerability in the normalize-url dependency.

This is the dependency tree:

  1. react-components@0.1.0 › react-scripts@4.0.3 › mini-css-extract-plugin@0.11.3 › normalize-url@1.9.1
  2. react-components@0.1.0 › react-scripts@4.0.3 › optimize-css-assets-webpack-plugin@5.0.4 › cssnano@4.1.11 › cssnano-preset-default@4.0.8 › postcss-normalize-url@4.0.1 › normalize-url@3.3.0

The vulnerability has been fixed in normalize-url versions: 6.0.1, 5.3.1 and 4.5.1

  1. The latest version (1.6.0) of mini-css-extract-plugin doesn't have a dependency on normalize-url anymore so including that one in react-scripts would solve this vulnerability issue.
  2. The latest version of postcss-normalize-url still uses the unfixed version of normalize-url (4.5.0). This can be fixed by using the latest version (6.6.0) of optimize-css-assets-webpack-plugin.
@pfg-matt
Copy link

pfg-matt commented Jun 7, 2021

Many are facing this exact issue.
I work for an AppSec department at a global financial services corporation that has small armies of compliance personnel who care a lot about the collection of postcss vulnerabilities of which this is one. In the current context, that results in largely wasted/unproductive work.
Across the globe, the development teams that I support must deploy safe-enough software. Even under the best of conditions, this is a serious challenge.
Please invest the effort to get this upgrade prioritized, completed and deployed. There are real, material costs (to say nothing about the exploit risks) to the extended period required to purge the broader collection of postcss-related vulnerabilities https://github.com/facebook/create-react-app/issues?q=is%3Aissue+is%3Aopen++postcss.

@payneBrandon payneBrandon mentioned this issue Jun 10, 2021
Merged
@bbovenzi bbovenzi mentioned this issue Jun 10, 2021
Merged
kaxil pushed a commit to astronomer/airflow that referenced this issue Jun 10, 2021
@bbovenzi @kaxil
Fix normalize-url vulnerability
bea24b2 
Update two packages that used a highly vulnerable version of normalize-url

See facebook/create-react-app#11054
ashb pushed a commit to apache/airflow that referenced this issue Jun 11, 2021
@bbovenzi
Fix normalize-url vulnerability (#16375)
70bf1b1 
Update two packages that used a highly vulnerable version of normalize-url

See facebook/create-react-app#11054
@nasaownsky nasaownsky mentioned this issue Jun 15, 2021
Closed
ccummings pushed a commit to pixelplicity/react-simple-file-upload that referenced this issue Jun 17, 2021
Fix most npm vulnerabilities
6b0daab 
There are a few npm warnings remaining but they rely on other packages to update like React:
facebook/create-react-app#11054

For now, I've switched the build to use Yarn which allows us to use resolutions to include the newer versions of these insecure packages.

The end result is that npm will still say there are fixes required, but the actual packages being used to build this package are the fixed versions.
@ccummings ccummings mentioned this issue Jun 17, 2021
Merged
@davidhjones
Copy link

Related issue #11012

@stahlmanDesign stahlmanDesign mentioned this issue Jun 21, 2021
Open
ashb pushed a commit to apache/airflow that referenced this issue Jun 22, 2021
@bbovenzi @ashb
Fix normalize-url vulnerability (#16375)
b578120 
Update two packages that used a highly vulnerable version of normalize-url

See facebook/create-react-app#11054

(cherry picked from commit 70bf1b1)
kaxil pushed a commit to astronomer/airflow that referenced this issue Jun 22, 2021
@bbovenzi @kaxil
Fix normalize-url vulnerability (apache#16375)
58357b5 
Update two packages that used a highly vulnerable version of normalize-url

See facebook/create-react-app#11054

(cherry picked from commit 70bf1b1)
(cherry picked from commit b578120)
@gaearon
Copy link
Contributor

gaearon commented Jul 2, 2021
edited
Loading

These warnings are false positives. There are no actual vulnerabilities affecting your app here.

To fix npm audit warnings, move react-scripts from dependencies to devDependencies in your package.json.

I agree with the point in #11102 and will make this change so that new projects don't keep having these false positive warnings.

If you want to discuss this, please comment in #11102.

@gaearon gaearon closed this as completed Jul 2, 2021
@facebook facebook locked as resolved and limited conversation to collaborators Jul 2, 2021
@gaearon
Copy link
Contributor

gaearon commented Jul 2, 2021

Please see #11174.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
issue: bug report needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gaearon @corradin @davidhjones @pfg-matt