Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prototype pollution attack in hoek (via hawk and request) #3800

Closed
jeemok opened this issue Feb 16, 2018 · 2 comments
Closed

Prototype pollution attack in hoek (via hawk and request) #3800

jeemok opened this issue Feb 16, 2018 · 2 comments
Assignees
@virkt25

Comments

@jeemok
Copy link

jeemok commented Feb 16, 2018
edited

Expected result

Expected to pass NSP, however, failed because it has a vulnerable dependency.

Additional information


(+) 1 vulnerabilities found
┌───────────────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│               │ Prototype pollution attack                                                                                                                                                 │
├───────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Name          │ hoek                                                                                                                                                                       │
├───────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ CVSS          │ 4 (Medium)                                                                                                                                                                 │
├───────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Installed     │ 4.2.0                                                                                                                                                                      │
├───────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Vulnerable    │ <= 4.2.0 || >= 5.0.0 < 5.0.3                                                                                                                                               │
├───────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Patched       │ > 4.2.0 < 5.0.0 || >= 5.0.3                                                                                                                                                │
├───────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Path          │ htm-next-api@1.0.0 > loopback@3.16.2 > strong-remoting@3.6.0 > request@2.83.0 > hawk@6.0.2 > hoek@4.2.0                                                                    │
├───────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ More Info     │ https://nodesecurity.io/advisories/566                                                                                                                                     │
└───────────────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

Ref: https://hackerone.com/reports/310439
Related issue: hapijs/hoek#230
Related PR: hapijs/hoek#231
@virkt25
Copy link
Contributor

virkt25 commented Feb 16, 2018

Hi @jeemok, unfortunately this issue is cause by a downstream dependency as can be seen in the Path from the NSP report. hoek has a fix, hawk picked it up in version 7.x.x but request still uses 6.x.x. So till request doesn't get updated, we can't do anything. See issue request/request#2874

There is an issue in their repository so a patch should be coming soon & if it's not a major release (I don't expect it to be, it should be picked up by the rest of the dependencies automatically).

I'll leave this issue open to verify we're good once request is updated.

@virkt25 virkt25 self-assigned this Feb 16, 2018
@bajtos bajtos changed the title NSP Security Check Fails #566 Prototype pollution attack in hoek (via hawk and request) Mar 20, 2018
@joshrickert
Copy link

Hoek's backported the fix and released it with 4.2.1, which satisfies the required versions all the way up the dependency tree without needing any changes in this repo. I was able to clear out the security notice by forcing an update:

npm install hoek@4.2.1 --save
npm uninstall hoek --save

Clearing out your node_modules and package-lock.json then running a fresh npm install should also do the trick.

@jeemok jeemok closed this as completed Apr 17, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@virkt25 virkt25

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@virkt25 @joshrickert @jeemok