Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk: High] Regular Expression Denial of Service (ReDoS) (due 1/15/2021) #4266

Closed
Tracked by #137
lbeaufort opened this issue Dec 17, 2020 · 3 comments · Fixed by #4313
Closed
Tracked by #137

[Snyk: High] Regular Expression Denial of Service (ReDoS) (due 1/15/2021) #4266

lbeaufort opened this issue Dec 17, 2020 · 3 comments · Fixed by #4313
Assignees
@rfultz
Labels
High priority Security: high Remediate within 30 days
Milestone
Sprint 13.11

Comments

@lbeaufort
Copy link
Member

Regular Expression Denial of Service (ReDoS)
Vulnerable module: | ua-parser-js
Fixed in: | 0.7.23

Detailed paths and remediation
Introduced through: fec-cms@1.0.0 › ua-parser-js@0.7.22
Introduced through: fec-cms@1.0.0 › draft-js@0.11.7 › fbjs@2.0.0 › ua-parser-js@0.7.22

Remediation:
Upgrade to ua-parser-js@0.7.23
@lbeaufort lbeaufort added this to the Sprint 13.11 milestone Dec 17, 2020
@lbeaufort lbeaufort added Needs refinement Security: high Remediate within 30 days labels Dec 17, 2020
@lbeaufort lbeaufort mentioned this issue Dec 17, 2020
Closed
@lbeaufort lbeaufort mentioned this issue Dec 23, 2020
Closed
1 task
@hcaofec hcaofec mentioned this issue Dec 30, 2020
Closed
@rfultz
Copy link
Contributor

rfultz commented Jan 4, 2021

We've run into issues with weaknesses in draft-js before and determined that it's less of a concern for us because it's only used inside the Wagtail editor, which requires editor account login. We could remove ua-parser-js from package.js but it's only being used by fbjs, which is used by draft-js, which is only used by draftail

@patphongs any preference between removing ua-parser-js from package.js and then closing/blocking this ticket, or just closing/blocking because having it in package doesn't affect anything else?

@patphongs
Copy link
Member

@rfultz Let's remove the ua-parser-js package from our code. Then close this issue as this vulnerability is not a risk due to it being behind an authenticated system.

@hcaofec hcaofec mentioned this issue Jan 6, 2021
Closed
1 task
@rfultz rfultz mentioned this issue Jan 8, 2021
Merged
@pkfec pkfec mentioned this issue Jan 13, 2021
Closed
@pkfec pkfec mentioned this issue Jan 21, 2021
Closed
1 task
@fec-jli fec-jli mentioned this issue Jan 27, 2021
Closed
@fec-jli fec-jli mentioned this issue Feb 3, 2021
Closed
@lbeaufort
Copy link
Member Author

@patphongs @rfultz FYI, this was still being flagged by Snyk, so I marked it as "not vulnerable" with the note
(From @rfultz)

We've run into issues with weaknesses in draft-js before and determined that it's less of a concern for us because it's only used inside the Wagtail editor, which requires editor account login

https://app.snyk.io/org/fecgov/project/2a97cddb-4b62-4d54-b18f-3b85d55a5e10/?fromGitHubAuth=true#issue-SNYK-JS-UAPARSERJS-1023599

@lbeaufort lbeaufort mentioned this issue Feb 11, 2021
Closed
@patphongs patphongs mentioned this issue Feb 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rfultz rfultz

Labels
High priority Security: high Remediate within 30 days
Projects
None yet
Milestone
Sprint 13.11
Development

Successfully merging a pull request may close this issue.

4266 Removing ua-parser-js from package fecgov/fec-cms
3 participants
@patphongs @rfultz @lbeaufort