New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Following Instructions in Documentation Results in Security Vulnerabilities 馃槥 #1079
Comments
Thanks for opening this issue. A contributor should be by to give feedback soon. In the meantime, please check out the contributing guidelines and explore other ways you can get involved. |
Issue-Label Bot is automatically applying the label Links: app homepage, dashboard and code for this bot. |
hey worth taking the trouble to post here since now I know about |
The vulnerabilities might be likely caused by a module maintained by npm itself. It's a dependency of semantic-release and there is not much I can can do about it, although I'm one of the maintainers of semantic-release, too. We are waiting for npm to fix their modules |
Ah ok thank you for the additional context, @gr2m. As I mentioned, it was my first install and experience with npm. I've heard the horror stories too with The frustrating aspect, of course, is that running the command that says should fix it ( I realize that is not entirely on Probot, but at the moment I am unsure how much of this is due to Probot (that is, with its package references) and how much of it is due to npm as you have mentioned. My main concern is making sure everyone is aware of the experience but also the vulnerabilities to ascertain their impact and/or legitimacy. I mean, I realize I am the last developer on earth to finally jump on the npm train and no one else will ever experience this, but still. 馃槄 |
The 4 security vulnerabilities that could not be fixed by |
OK... that works for me, @MaximDevoir. Maybe if someone runs into this same issue we've a little more contextual keywords to help let them know that this is a known issue that is unfortunately outside of Probot's control ATM and should be fixed "soon." 馃槒 Closing this on my side. Please feel free to re-open if I have something fundamentally misunderstood here. Thank you for your assistance and insights! |
I was about to open a duplicate of this. Having an issue open to track an open vulnerability would've certainly helped. Especially this Issue can then be used to follow up and update the hbs dependency in this repo once they have been fixed. On topic: What is hbs used for here? Is it possible to run probot without hbs support? And does the input stem from user code or is it passed from e.g. github comments (and thus every bot insecure)? Just a little insight on the impact of this issue would be nice as a fresh probot user I can't judge the security problems this could entail, but DoS, Arbitrary Code Execution etc don't sound nice. |
Yeah, good point @MeFisto94 ... I was trying to be a good citizen in keeping issue count low but if others are expressing the same concerns it's probably better to let the maintainers decide when to close it. |
Probot uses hbs to render templates with Express. The built-in templates with Probot are used for registering your GitHub App while in the development environment - these templates are not affected by the vulnerabilities in hbs. Probot apps may be susceptible to these vulnerabilities if they use Probot's built-in Express router's Example of module.exports = app => {
// Get Probot's built-in express router, which has the view engine set to hbs
const router = app.route('/app')
router.get('/endpoint', (req, res) => {
res.render('malicious-template.hbs')
})
} If your Probot app never uses the If you Probot app uses the A quick search through GitHub doesn't show any public Probot apps using the built-in Hope this helps. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This is an evergreen issue. We try to stay on top of it as good as we can :) |
Bug Report
Current Behavior
Greetings. Installing Node and Probot both for the first time here. Following the directions at the following location:
https://probot.github.io/docs/development/
Running the following command and filling out its prompts:
This seems to differ vastly from the output found within the documentation page.
In particular:
running
npm audit fix
:So it would seem that simply creating a Probot project has now introduced 8 vulnerabilities into my development environment, 6 of which are considered
high
impact. After running the suggested guidance ofnpm audit fix
there are now 4 remaining, of which all could behigh
impact, but this is unknown as it doesn't really specify.As a new user to both Node/NPM and Probot, I am now saddled with the stressful and disruptive responsibility of figuring out how to "manually review" these vulnerabilities -- let alone submitting an issue on GitHub documenting my experience! -- rather than diving directly into your nifty product and learning some cool magic as your documentation portends.
Hardly a pleasant first impression. 馃槥
Expected behavior/code
Creating a new Probot project that doesn't result in installing vulnerabilities into my development environment would be a nice start. 馃榿
Environment
The text was updated successfully, but these errors were encountered: