Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Swarm.js - Arbitrary File Write vulnerability #3399

Closed
shaunazzopardi opened this issue Mar 2, 2020 · 9 comments · Fixed by #3403
Closed

Swarm.js - Arbitrary File Write vulnerability #3399

shaunazzopardi opened this issue Mar 2, 2020 · 9 comments · Fixed by #3403
Assignees
@evertonfraga
Labels
1.x 1.0 related issues

Comments

@shaunazzopardi
Copy link

Expected behavior

No high vulnerabilities.

Actual behavior

Getting an Arbitrary File Write vulnerability.

Steps to reproduce the behavior

  1. npm install web3
  2. npm audit

Logs

  High            Arbitrary File Write                                          

  Package         decompress                                                    

  Patched in      No patch available                                            

  Dependency of   web3                                                          

  Path            web3 > web3-bzz > swarm-js > decompress                       

  More info       https://npmjs.com/advisories/1217

Versions

Web3 1.2.6
@cgewecke cgewecke added 1.x 1.0 related issues dependencies labels Mar 3, 2020
@cgewecke
Copy link
Collaborator

cgewecke commented Mar 3, 2020
edited
Loading

@shaunazzopardi Thanks for reporting.

It looks like neither swarm-js or decompress are being actively developed, unfortunately.

The underlying issue is being tracked at decompress #76.

@cgewecke
Copy link
Collaborator

cgewecke commented Mar 3, 2020

For near-term maintenance purposes we could fork swarm-js to the web3-js org (or ethereumjs) and move decompress to development dependencies. Believe it's only used in a script to generate archive entries and is incidental to the library methods.

Longer term options include migrating swarm support to the erebos api or just deprecating it altogether.

@evertonfraga
Copy link

evertonfraga commented Mar 3, 2020 via email

@cgewecke
Copy link
Collaborator

cgewecke commented Mar 3, 2020

@evertonfraga Ah that would be great! I saw commits by you but didn't see another publish.

@cgewecke cgewecke mentioned this issue Mar 4, 2020
Merged
@cgewecke
Copy link
Collaborator

cgewecke commented Mar 4, 2020

@evertonfraga Opened swarm-js 36 for that change.

@evertonfraga
Copy link

I published swarm-js 0.1.40. please check!

@evertonfraga evertonfraga self-assigned this Mar 4, 2020
@cgewecke
Copy link
Collaborator

cgewecke commented Mar 4, 2020

@evertonfraga LGTM!

+ swarm-js@0.1.40
added 169 packages from 119 contributors and audited 356 packages in 18.645s
found 0 vulnerabilities

@evertonfraga
Copy link

That's great :)

if you need anything else in that front, lmk!

@holgerd77 holgerd77 changed the title Arbitrary File Write vulnerability Swarm.js - Arbitrary File Write vulnerability Mar 4, 2020
@holgerd77
Copy link
Collaborator

@cgewecke @evertonfraga Hi guys, greetings from EthCC, you are missed! 🥰 Thanks for keeping up on the real-work-to-be-done-front!

This was referenced Mar 4, 2020
Merged
Closed
@abcoathup abcoathup mentioned this issue Mar 24, 2020
Open
@ryanio ryanio mentioned this issue Apr 15, 2020
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@evertonfraga evertonfraga

Labels
1.x 1.0 related issues
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade swarm-js to ^0.1.40 web3/web3.js
4 participants
@evertonfraga @holgerd77 @shaunazzopardi @cgewecke