Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(GitHub Dependabot) Racing Conditions and path traversal in Grunt < 1.5.3 #1010

Closed
kszumko opened this issue Jan 3, 2023 · 5 comments
Closed

(GitHub Dependabot) Racing Conditions and path traversal in Grunt < 1.5.3 #1010

kszumko opened this issue Jan 3, 2023 · 5 comments
Assignees
@sehmaschine @parsch

Comments

@kszumko
Copy link

kszumko commented Jan 3, 2023

GitHub pinned it as a high-severity and moderate threat, full description:

  • Race Condition in Grunt:
    file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has to write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.

Solution:
Update "grunt": ">=1.5.3"

  • Path Traversal in Grunt:
    Grunt prior to version 1.5.2 is vulnerable to path traversal.
@hakan-77
Copy link

Hi,

I see that grunt version is updated on 22nd Nov on github, which is the same date as latest deployment on pypi.

However, package.json on pypi deployment still points to the older version with the security issue. Are there any plans for a fresh pypi deployment?

	"devDependencies": {
		"commitplease": "3.2.0",
		"eslint-config-jquery": "3.0.0",
		"glob": "7.1.7",
		"grunt": "1.4.1",
		"grunt-bowercopy": "1.2.5",
		"grunt-cli": "1.4.3",
		"grunt-compare-size": "0.4.2",
		"grunt-contrib-concat": "1.0.1",
		"grunt-contrib-csslint": "2.0.0",
		"grunt-contrib-qunit": "5.0.1",
		"grunt-contrib-requirejs": "1.0.0",
		"grunt-contrib-uglify": "5.0.1",
		"grunt-eslint": "23.0.0",
		"grunt-git-authors": "3.2.0",
		"grunt-html": "14.5.0",
		"load-grunt-tasks": "5.1.0",
		"rimraf": "3.0.2",
		"testswarm": "1.1.2"
	},

Thank you,
Hakan

@sehmaschine
Copy link
Owner

@hakan-77 I'm confused ... what package.json are you referring to? Because you are listing stuff which we don't use at all (e.g. rimraf). Are you sure you're having the right file there?

@hakan-77
Copy link

hakan-77 commented Mar 5, 2023

@sehmaschine looks like Grappelli's dependence to old grunt is through jquery. I'm sharing below where the problematic dependency is installed on a sampel conda env:

/Users/hakan/.conda/envs/my_conda_env/lib/python3.8/site-packages/grappelli/static/grappelli/jquery/ui/package.json

I also think the grunt version is upgraded to fix with the below commit, but maybe this change was not deployed on pypi version of grappelli. What we get from pypi still has the old version of grunt with the security bug.

ce7bd87#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519

@sehmaschine sehmaschine self-assigned this Mar 6, 2023
@sehmaschine
Copy link
Owner

@hakan-77 Ok, thanks for checking. I think we can safely remove package.json from the jquery-ui package. Will do that.

@hakan-77
Copy link

hakan-77 commented Mar 9, 2023

Thank you, @sehmaschine

sehmaschine added a commit that referenced this issue Mar 20, 2023
@sehmaschine
removed package.json from jquery-ui, #1010
ce38336
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sehmaschine sehmaschine

@parsch parsch

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sehmaschine @parsch @hakan-77 @kszumko