Regular Expression Denial of Service in useragent

[jason-upchurch]

Summary

High severity vulnerability found in useragent
Description: Regular Expression Denial of Service (ReDoS)
Info: https://snyk.io/vuln/SNYK-JS-USERAGENT-174737
Introduced through: karma@4.1.0
From: karma@4.1.0 > useragent@2.3.0

Remediation: None yet

[lbeaufort]

@patphongs @jason-upchurch if the karma package is only used by our automated tests, is it safe to say that this useragent@2.3.0 vulnerability doesn't impact us?

[jason-upchurch]

@patphongs @lbeaufort
The maintainer's repo is here:
3rd-Eden/useragent#147

[jason-upchurch]

@patphongs @lbeaufort The karma library repo is here: https://github.com/karma-runner/karma (this library makes use of useragent).
A fix does not appear to be available at this time, either through updating karma or useragent. I recommend keeping an eye on these two libraries/repos so that when a fix is available we can incorporate it.

[lbeaufort]

@jason-upchurch thanks, I agree we should keep an eye out.

However, if I'm understanding the vulnerability, it requires user input as the attack vector, which we're not making available to the public. All the input to karma comes from our automated tests, so I don't think this vulnerability impacts us.

If that's the case, I think we can remove the due date and security label and bump this issue to a future sprint.

[patphongs]

@jason-upchurch @lbeaufort Did some additional research on this. Because we are using karma under devDependencies, we are not compiling it in the final JS that gets pushed out to production. If you look inside of the ./fec/dist/fec/static/js files that the JS files get compiled to in production, you'll notice that searching for "karma" in the code will yield no results. Therefore, we're not pushing out dev dependencies to production. Do I have this correct @rfultz ?

[jason-upchurch]

Moving to sprint 10.4 per @PaulClark2, keeping assigned to me, and I will keep an eye on remediation.

[rfultz]

💯devDependencies are only used at compile-time and don't go to the production server. Only the code in /fec/dist goes to Prod.

I'm even less worried about this issue because Karma plays traffic cop during our JavaScript tests (npm run test-single) and isn't compiled into our code. It's called during npm run build-production, yes, but it only outputs to the screen.

[jason-upchurch]

Reached out to SISO to discuss options for path forward. Planning discussion for next week.

[jason-upchurch]

useragent is not used in production code. We will keep an eye on the package for updates nonetheless and update when available or investigate alternative packages if the need arises. Pushing out to Sprint 10.6 for now.

[patphongs]

only used for development, so we don't need this