New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability in hoek package #2926

Open
warpdesign opened this Issue Apr 26, 2018 · 28 comments

Comments

Projects
None yet
@warpdesign

warpdesign commented Apr 26, 2018

There is a vulnerability in the hoek package which is required by hawk that request depends on.

Request depends on hawk version ~6.0.2. Updating to hawk version 7.0.0 would fix the problem.

@crccheck

This comment has been minimized.

crccheck commented Apr 27, 2018

I tried just bumping to hawk v7.0.7 earlier today but the test broke. I had to jump off to do something else but I only got as far as this faster way to run the test:

npx taper tests/test-hawk.js
@dan-nl

This comment has been minimized.

dan-nl commented Apr 27, 2018

as far as i understand it, the issue is with a cve, https://nvd.nist.gov/vuln/detail/CVE-2018-3728, regarding hoek < v5.0.3; request v2.85.1 requires hawk ~6.0.2, which requires hoek 4.x.x. request requires hawk ~6.0.2 to maintain compatibility with node 4.

thus, it appears that the cve is incorrectly considering hoek v4.2.1 as vulnerable and may be why so many github repos are now reporting a vulnerability. i sent an email to nvd.nist.gov about the issue.

@Bjornskjald

This comment has been minimized.

Bjornskjald commented Apr 27, 2018

See here: #2891 (comment)

@PhilippeVay

This comment has been minimized.

PhilippeVay commented Apr 27, 2018

To confirm the findings of dan-nl, both links from securityfocus and hackerone in the CVE state that it has been fixed

Not Vulnerable:
| Hoek Hoek 4.2.1
| Hoek Hoek 5.0.3

vdeturckheim posted a comment. Feb 15th (2 months ago)
Fix has been backported to 4.x track of the module and published as 4.2.1. (see hapijs/hoek#231 )

and it's confirmed by @nlf in hapijs/hoek#230 (comment)

It has been fixed.
To further discuss, (…)

@jfoclpf

This comment has been minimized.

jfoclpf commented Apr 27, 2018

@warpdesign you said

Request depends on hawk version ~6.0.2. Updating to hawk version 7.0.0 would fix the problem

But how do I do that if I don't have hawk directly as a dependency?

autocosts@5.4.4 /home/jfolpf/autocosts
└─┬ request@2.85.0
  └─┬ hawk@6.0.2
    ├─┬ boom@4.3.1
    │ └── hoek@4.2.1  deduped
    ├─┬ cryptiles@3.1.2
    │ └─┬ boom@5.2.0
    │   └── hoek@4.2.1  deduped
    ├── hoek@4.2.1 
    └─┬ sntp@2.1.0
      └── hoek@4.2.1  deduped

which npm command? npm update request didn't do the job. Nor npm update hoek
thanks

@jbreckmckye

This comment has been minimized.

jbreckmckye commented Apr 27, 2018

You can't. You have to wait until Request publishes a new version that uses Hawk 7. That's the problem.

@johnbeech

This comment has been minimized.

johnbeech commented Apr 27, 2018

Can confirm, I've had 6 repos flagged by github for having the hoek vulnerability because of the request library.

@warpdesign

This comment has been minimized.

warpdesign commented Apr 27, 2018

@jfoclpf I guess it should be possible to temporary fix the problem by publishing forks with an updated version. But you don't want to go this road. Better wait for an official resolution (which shouldn't be long to come this the vce state just needs to be updated for hoek v4.2.1).

@jfoclpf

This comment has been minimized.

jfoclpf commented Apr 27, 2018

According to what I have been told from other packages, it's a false positive from github. There is no vulnerability in that version of hoek. Nonetheless it's annoying and thus let's wait for an official update of request.

@dscalzi

This comment has been minimized.

dscalzi commented Apr 27, 2018

The Node.js 4.x release line is going end of life April 30th, compatibility with it should not be a concern after then.

@nlf

This comment has been minimized.

Contributor

nlf commented Apr 27, 2018

yes, hi 👋 hoek maintainer here. version 4.2.1 has been patched. github's alerts are currently wrong. i've submitted a request to correct the version range in the CVE and also harassed some kind folks at github to take care of things on their end. hopefully they'll stop reporting that version as vulnerable soon.

@yumetodo

This comment has been minimized.

yumetodo commented Apr 28, 2018

#2926 (comment)
version 4.2.1 has been patched

hapijs/hoek#247 (comment)
I submitted a request to update the CVE, hopefully that’ll happen soon and GitHub can get their db updated. Until that happens this is all out of my hands. I’m leaving this open in the hopes other people will find it.

!?

@dan-nl

This comment has been minimized.

dan-nl commented Apr 29, 2018

@dscalzi,

hawk > v7.0.0 drops support for node 4 and 6
https://github.com/hueniverse/hawk/blob/v7.0.1/.travis.yml

hawk >= v7.0.0 includes hoek 5.x.x
https://github.com/hueniverse/hawk/blob/master/package.json#L19

hoek v5.x.x drops support for node 4 and 6
https://github.com/hapijs/hoek/blob/v5.0.0/.travis.yml

@diamont1001

This comment has been minimized.

diamont1001 commented May 2, 2018

How is this issue going now plz?

@Bjornskjald

This comment has been minimized.

Bjornskjald commented May 2, 2018

@diamont1001 it's already fixed

@diamont1001

This comment has been minimized.

diamont1001 commented May 2, 2018

@Bjornskjald are u sure?

request@2.85.0/1 -> hawk@6.0.2 -> hoek@4.x.x

@Bjornskjald

This comment has been minimized.

Bjornskjald commented May 2, 2018

@diamont1001 hoek 4.2.1 has the bugfix backported

@diamont1001

This comment has been minimized.

diamont1001 commented May 2, 2018

@Bjornskjald

This comment has been minimized.

Bjornskjald commented May 2, 2018

@diamont1001 because if you weren't lazy enough to read the whole discussion, you would see it's a bug with GitHub and hoek maintainer already contacted them...

@JessicaSachs

This comment has been minimized.

JessicaSachs commented May 3, 2018

@nlf Thanks for updating this thread earlier! Any response from Github yet? I'm considering pinging them as well...

@debragail

This comment has been minimized.

debragail commented May 4, 2018

status update?

@cmfcmf

This comment has been minimized.

cmfcmf commented May 4, 2018

status update?

@phillmv from @github staff has posted an explanation at hapijs/hoek#247 (comment):

[...] We fixed the versions we alert on back on Monday, and I personally deleted all the bad alerts earlier today. [...]

@NadGu

This comment has been minimized.

NadGu commented May 24, 2018

Hi, I have read all the discussion but I am still having the issue.
I have run npm audit and reported me about 11 vulnerability to hoek package.
I have update it to 7.0.7 but nothing changed. I have also updated the hawk package as suggested above but still nothing changed.
Can you help me please?

@diamont1001

This comment has been minimized.

diamont1001 commented May 24, 2018

@NadGu plz check your package-lock.json file first.

@NadGu

This comment has been minimized.

NadGu commented May 24, 2018

@diamont1001 done right now. The version of hoek is 4.2.1. What can I do to update it?

@diamont1001

This comment has been minimized.

diamont1001 commented May 24, 2018

hoek@4.2.1 is ok.
I think that u just have to wait for github to refresh the data, at least I did it at the time, and it worked.

@NadGu

This comment has been minimized.

NadGu commented May 24, 2018

@diamont1001 So let's wait! At least I did all that I could. Thank you!

@phillmv

This comment has been minimized.

phillmv commented May 24, 2018

@NadGu Hi!

Are you saying you have a repository on GitHub where we're still flagging a version of 4.2.1 as being vulnerable? That shouldn't be happening!

Please email support@github.com with the repository link and mention @phillmv and we'll take it from there :).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment