Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[data grid] Snyk warning for inflight through exceljs #13187

Open
jsyvino opened this issue May 20, 2024 · 6 comments
Open

[data grid] Snyk warning for inflight through exceljs #13187

jsyvino opened this issue May 20, 2024 · 6 comments
Labels
component: data grid This is the name of the generic UI component, not the React module! external dependency Blocked by external dependency, we can’t do anything about it feature: Export security Pull requests that address a security vulnerability support: premium standard Support request from a Premium standard plan user. https://mui.com/legal/technical-support-sla/

Comments

@jsyvino
Copy link

jsyvino commented May 20, 2024

The problem in depth

We recently upgraded our MUI pro license to MUI premium, but after making the code changes our Static Application Security Testing software (Snyk) is now surfacing a vulnerability introduced by @mui/x-data-grid-premium

Screenshot 2024-05-16 at 1 04 27 PM

It seems it is introduced through this path: @mui/x-data-grid-premium@7.4.0 › exceljs@4.4.0 › archiver@5.3.2 › archiver-utils@2.1.0 › glob@7.2.3 › inflight@1.0.6

(I know above it says @mui/x-data-grid-premium@7.4.0, but v7.5.0 also uses exceljs@4.4.0 and this was tested)

Here is the relevant link to the issue in inflight: isaacs/inflight-DEPRECATED-DO-NOT-USE#5

We are unable to use MUI Pro if it does not meet our security requirements and we are unsure how to get around this one.

I am noticing glob v9.0.0 does not have this vulnerability, archiver-utils v5.0.0 does not have this vulnerability, archiver v7.0.0 does not have this vulnerability. Any chance either of those could be pinned on your end? No clue if this is helpful, just sharing what I have found

Your environment

`npx @mui/envinfo`
   System:
    OS: macOS 13.6
  Binaries:
    Node: 18.6.0 - /opt/homebrew/bin/node
    npm: 8.19.2 - /opt/homebrew/bin/npm
    pnpm: Not Found
  Browsers:
    Chrome: 124.0.6367.208
    Edge: Not Found
    Safari: 16.6

Search keywords: inflight@1.0.6, security vulnerability

Duplicates

@jsyvino jsyvino added status: waiting for maintainer These issues haven't been looked at yet by a maintainer support: commercial Support request from paid users support: unknown Support request type not verified yet. Head to https://tools-public.mui.com/prod/pages/jyhs86t labels May 20, 2024
Copy link

You have created a support request under the "Priority Support" terms, which is a paid add-on to MUI X Premium ⏰. Please validate your support key using the link below:

https://tools-public.mui.com/prod/pages/jyhs86t?repo=mui-x&issueId=13187

Do not share your support key in this issue!

Priority Support is only provided to verified customers. Once you have verified your support key, we will remove the support: unknown label and add the support: priority label to this issue. Only then the time for the SLA will start counting.

@jsyvino
Copy link
Author

jsyvino commented May 20, 2024

Ahh, I misunderstood and thought this was included with the MUI premium license, it looks like our support key is not valid for this

@romgrk
Copy link
Contributor

romgrk commented May 20, 2024

Fwiw, this vulnerability does not apply in any way to frontend code, it can only affect nodejs HTTP requests, and the code related to it is not shipped in your bundle (I think). We're going to look into the exceljs issue, but this is not a security issue for the datagrid.

@romgrk romgrk added component: data grid This is the name of the generic UI component, not the React module! support: premium standard Support request from a Premium standard plan user. https://mui.com/legal/technical-support-sla/ feature: Export external dependency Blocked by external dependency, we can’t do anything about it and removed status: waiting for maintainer These issues haven't been looked at yet by a maintainer support: commercial Support request from paid users support: unknown Support request type not verified yet. Head to https://tools-public.mui.com/prod/pages/jyhs86t labels May 20, 2024
@romgrk romgrk changed the title mui/x-data-grid-premium Vulnerability [datagrid] Snyk warning for inflight through exceljs May 20, 2024
@cherniavskii
Copy link
Member

Hi @jsyvino
Thanks for raising this issue!

Are you using npm as your package manager?
Can you try adding these overrides to your package.json?

"overrides": {
  "@mui/x-data-grid-premium": {
    "exceljs": {
      "archiver": "7.0.1",
      "unzipper": {
        ".": "0.10.14",
        "fstream": {
          ".": "1.0.12",
          "rimraf": "4.4.1"
        }
      }
    }
  }
}

These overrides upgrade dependencies that have no breaking changes. I tested this in https://github.com/cherniavskii/data-grid-premium-test and the Excel export works fine while the inflight package is not installed:

$ npm ls inflight
data-grid-premium-test@1.0.0 /Users/work/workspace/data-grid-premium-test
└── (empty)

This was referenced May 27, 2024
@oliviertassinari oliviertassinari changed the title [datagrid] Snyk warning for inflight through exceljs [data grid] Snyk warning for inflight through exceljs May 28, 2024
@oliviertassinari oliviertassinari added the security Pull requests that address a security vulnerability label May 28, 2024
@jsyvino
Copy link
Author

jsyvino commented May 29, 2024

@cherniavskii thanks for this, yes this is what we did for now, it just doesn't feel like a great long term solution

@cherniavskii
Copy link
Member

@jsyvino This would be the suggested workaround for now.
I tried overriding the dependencies on our side in #13216, but it didn't work. Apparently, these overrides are only applied if they're defined in the project's root package.json.

We are considering forking exceljs: exceljs/exceljs#2764

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component: data grid This is the name of the generic UI component, not the React module! external dependency Blocked by external dependency, we can’t do anything about it feature: Export security Pull requests that address a security vulnerability support: premium standard Support request from a Premium standard plan user. https://mui.com/legal/technical-support-sla/
Projects
None yet
Development

No branches or pull requests

4 participants