CVE-2023-42282 #138
CVE-2023-42282 #138
Conversation
|
Thanks for the fix! Could you elaborate on what RFC marks If we go this way - we probably want to add support for other private IP address ( |
.gitignore
Outdated
| # Jetbrains IDE | ||
| .idea/ |
There was a problem hiding this comment.
This should probably be removed, we don't want to pollute repo with opinionated files
There was a problem hiding this comment.
This does exactly what you mentioned: it prevents the repo from being polluted with opinionated files by adding them into .gitignore
There was a problem hiding this comment.
As no other IDE's files are listed here, adding a single one can be seen as opinionated. This addition makes sense, just not without the inclusion of other IDE's config dirs - and definately not as part of this merge request.
Developers can just as easily add the entry/entries corresponding to their editor of choice to the local .git/config file.
There was a problem hiding this comment.
I see your point, yes that makes more sense.
There was a problem hiding this comment.
Because a lot of people don't realize this and might find the info helpful:
These kinds of things can be placed in a .gitignore in a parent directory, such as (typically) your home directory. (If you're a macOS user, you probably want a .gitignore file in your home directory with an entry for .DS_Store.)
lib/ip.js
Outdated
| @@ -311,8 +311,8 @@ ip.isEqual = function (a, b) { | |||
| }; | |||
|
|
|||
| ip.isPrivate = function (addr) { | |||
| return /^(::f{4}:)?10\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i | |||
| .test(addr) | |||
| return /^0x7f/i.test(addr) | |||
There was a problem hiding this comment.
This only checks for a single address and not the whole network
There was a problem hiding this comment.
Ideally, input should be sanitized and form a standard ipv4 or ipv6 dot notation, or be rejected and the function fail (see previous comments).
The regex checks if the first octet begins with 0x7f, which should cater for 127.0.0.0/8.
There was a problem hiding this comment.
You are right, misread it... But this approach introduces some other issues w/o addr being sanitised before. You do not check the entire IP so you could easily have something like
0x7f.1.1.1.1.1
being labeled as correct IP and isPrivate would return true
There was a problem hiding this comment.
Indeed, the octal and hex parts should be converted to integers first, similarly to #138 (comment)
There's another discussion about what the function should return if the input is invalid, as semantically, neither public nor private would apply and should probably be an exception. I agree that it peculiar to have mixed hex and dot notation, but that's the crux of the issue - that invalid input to this function is at the root of the CVE. |
|
As a bit of background on where the '0x7f.1' came from... Here is an interesting article that talks about fun with IP addresses using mixed notation Historically, some ip utilities support this way of writing IPv4 addresses. Note the handling of 1, 2 or 3 dots in the ping source. Man page for strtoul that shows support for hex and octal This shows how to handle conversion of ipv4 into 32-bit address, and how to interpret a.b, a.b.c and a.b.c.d. To support this in the library, perhaps sanitize the addr input into a standard notation, then use the existing regexes, which seem to expect 4 octets. |
|
We have created a slightly different patch at @seal-community - I will appreciate your feedback. |
|
https://stackoverflow.com/a/38948504/12576620 |
### Feature or Bugfix - Bugfix ### Detail - Add `.nsprc` file for ignored vulnerabilities in `better-npm-audit`. - Added `ip` package to ignored vulnerabilities with expiration 2024/02/28: https://www.cve.org/CVERecord?id=CVE-2023-42282 The vulnerability found in `ip` affects us because we use the `react-native-community/cli` package. In this package repository an [issue reporting the vulnerabilty](react-native-community/cli#2294) was already raised. Update: `ip` team is working on a fix: indutny/node-ip#138 ### Relates - https://www.cve.org/CVERecord?id=CVE-2023-42282 ### Security Please answer the questions below briefly where applicable, or write `N/A`. Based on [OWASP 10](https://owasp.org/Top10/en/). - Does this PR introduce or modify any input fields or queries - this includes fetching data from storage outside the application (e.g. a database, an S3 bucket)? - Is the input sanitized? - What precautions are you taking before deserializing the data you consume? - Is injection prevented by parametrizing queries? - Have you ensured no `eval` or similar functions are used? - Does this PR introduce any functionality or component that requires authorization? - How have you ensured it respects the existing AuthN/AuthZ mechanisms? - Are you logging failed auth attempts? - Are you using or adding any cryptographic features? - Do you use a standard proven implementations? - Are the used keys controlled by the customer? Where are they stored? - Are you introducing any new policies/roles/users? - Have you used the least-privilege principle? How? By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
|
How is this PR looking guys? Code reviews don't point out any immediate issues. |
|
|
I guess this comment is blocking I would definitely opt for more tests, even the tests in this PR are happy-path only... There is a great point raised by OP in this comment, there are exposed methods that would benefit calling sanitise before doing processing |
|
possible option - don't solve this completely, solve it incrementally:
This closes the CVE problem at least. In the meantime, consumers can write their own sanitizers if they need them. In time a PR that's nice and magically solves all the hard cases may emerge, but it significantly reduces the work and pressure on the (unpaid) maintainers of this module |
Something like seems like a simple way to do that |
|
Thanks for reviews and comments. Please review these latest commits and let me know if I've missed anything. I've tried to keep it compatible while adding support to interpret octets in a way that aligns with how the ping utility handles it. Changes are in isPrivate and isLoopback, along with a new function normalizeToLong. |
|
Any chance we can get this prioritised considering the cve marked as high and blocking for many people! |
Has anyone compared this PR with this suggested patch from @seal-community? |
Yes, but I haven't tested their patch. They approach it differently by removing the regex for matching the various CIDRs, which probably would perform better, but is a larger deviation from the original implementation. Further, I'm not sure their parsing of the octets will result in the same behaviour. Their parsing of octals may not pickup octal format issues due to the behaviour of parseInt(blah, 8). |
|
| it('should return -1 for an invalid address "256.100.50.25"', () => { | ||
| assert.equal(ip.normalizeToLong('256.100.50.25'), -1); | ||
| }); | ||
|
|
There was a problem hiding this comment.
Thanks for the tests. We can perhaps add more tests to cover other invalid ipv4 address cases:
it('should return -1 for an invalid address where second octet is out of range "251.260.50.25"', () => {
assert.equal(ip.normalizeToLong('251.260.50.25'), -1);
});
it('should return -1 for an invalid address where third octet is out of range "251.110.350.25"', () => {
assert.equal(ip.normalizeToLong('251.110.350.25'), -1);
});
it('should return -1 for an invalid address where fourth octet is out of range "256.100.50.425"', () => {
assert.equal(ip.normalizeToLong('251.110.250.425'), -1);
});
|
What is the timeline to get this patch pushed out? |
|
+1 |
1 similar comment
|
+1 |
|
I would suggest replacing the library, it seems like this is not being actively maintained. |
|
Merged in 6a3ada9, and released in 1.1.9. Many thanks, and sorry for the wait! |
|
@indutny would you be releasing a 2.0.1 as well? btw what's the difference between the 2.x series? |
|
2.0.1 is out! The difference is that 2.x uses |
|
The CVE reported in the github advisory database is not written correctly. NPM does not accept version v1.1.9 as a patched version as the existing CVE lists affected versions are <=2.0.0. This PR fixes the advisory to accept v1.1.9 as a patched version as well. Any idea when/how CVE can be updated? |
Having the CVE present correct information is important, of course. And I know people don't typically control what's deep in their dependency trees. But in case it helps anyone update with confidence: Unless you need to support a Node.js version older than 5.x, updating to ip@2.0.1 should be seamless. And if you need to support a version of Node.js older than 5.x, you are likely dealing with dozens of High and Critical CVEs in addition to this one. |
|
Unfortunately, this does not completely address the CVE. There are many more cases not covered. See #143. |
Hi,
I've made a patch for CVE-2023-42282 (handling of 0x7f.1 address in isPrivate).
Details of the vulnerability
Please review and merge if ok.
Thanks.