Update Request module to Avoid Security Vulnerability

[akras14]

nsp module points out vulnerability in hawk module that is being used by request module.

Looks like the hawk version has just been bumped up in the request module, but it has not release yet. Next release after v2.69.1 should have it, since the commit was already made: request/request@ebb2c3b

Just wanted to put it on your radar.

$: nsp check
(+) 1 vulnerabilities found
┌───────────────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│               │ Regular Expression Denial of Service                                                                                                                                              │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Name          │ hawk                                                                                                                                                                              │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Installed     │ 1.1.1                                                                                                                                                                             │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Vulnerable    │ < 3.1.3  || >= 4.0.0 <4.1.1                                                                                                                                                       │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Patched       │ >=3.1.3 < 4.0.0 || >=4.1.1                                                                                                                                                        │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Path          │ firebet@0.0.1 > pkgcloud@1.3.0 > request@2.40.0 > hawk@1.1.1                                                                                                                      │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ More Info     │ https://nodesecurity.io/advisories/77                                                                                                                                             │
└───────────────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

[CIPowell]

please do fix this, we've seen the same advisory

[3rd-Eden]

Hawk isn't used by pkgcloud. Just because it's bundled by request doesn't make the whole module vulnerable.

If you actually look at the code base of request, you'll see that hawk is only used for hawk based authentication. Which is a encoding some rando invented and is not used by any of the cloud providers.

[kenperkins]

I can probably look at bumping our dependencies none-the-less.

[CIPowell]

Thanks @kenperkins

[akras14]

As can be seen in the path for the report that I posted:

firebet@0.0.1 > pkgcloud@1.3.0 > request@2.40.0 > hawk@1.1.1

Hawk is used by request.

Looks like Request have been updated (since I've reported the issue) to bump up Hawk version so using request request@2.70.1 should fixed the issue.

[indexzero]

The point that @3rd-Eden was making was that pkgcloud does not take advantage of the hawk features exposed by request, thus we are not actually vulenerable if I understand hawk correctly. Nonetheless I agree with @kenperkins we should bump versions.

[akras14]

@indexzero Ah, I see. Thanks and good to know.

[kenperkins]

FYI @akras14 I don't see request@2.70.1 published yet?

[akras14]

@kenperkins Thanks, my bad. I've double checked and 2.70.0 is published and has the Hawk version bump.

[mikewli]

Hi,

Just did another NSP scan. pkgcloud@1.4.0 uses request@2.40.0 which has another vulnerability listed in addition to the one aforementioned:
https://nodesecurity.io/advisories/309 (Remote Memory Exposure)

I'm currently ignoring https://nodesecurity.io/advisories/77 as well, since I have a CI build system but that's obviously not ideal. Would be great if you guys could knock out 2 of them by updating the request dependency version.