collecting info on node vulnerabilities#35
collecting info on node vulnerabilities#35sam-github wants to merge 1 commit intonodejs:masterfrom sam-github:add-node-vulns
Conversation
|
So far I have just scraped the changelogs from 8.x back to and including 4.x, no further, now I have to read through in more detail and organize the issues into individual records and then into the JSON schema. |
vuln/SCHEMA.md
Outdated
| |-----|------|-------------|---------| | ||
| |`id`|Integer > 0|Unique number identifying the record|349| | ||
| |`created_at`|date-time|Record creation|"2017-05-19T22:45:59.16+00:00"| | ||
| XXX do we need this, or is it just a mongo internal field? |
There was a problem hiding this comment.
This was our identifier. You don't have to keep this. It was a postgres integer incrementing when we added vulns.
vuln/SCHEMA.md
Outdated
| XXX do we need this, or is it just a mongo internal field? | ||
|
|
||
| |`updated_at`|date-time|Record update|"2017-06-05T13:01:57.071+00:00"| | ||
| XXX do we need this, or is it just a mongo internal field? |
There was a problem hiding this comment.
These are date fields that are useful. I'd keep them but it's totally up to you.
vuln/SCHEMA.md
Outdated
|
|
||
| |`title`|String|Short readable description|"Directory Traversal"| | ||
| |`author`|String|Finder of vuln|"Liang Gong"| | ||
| XXX what if reporter was not finder? |
There was a problem hiding this comment.
+1 to changing this name, we never did because of legacy support but yes I'd change it and possibly add other fields to give appropriate credit such as who authored the advisory, who found the issue, etc.
vuln/SCHEMA.md
Outdated
| |`publish_date`|date-time|when made public|"2017-06-05T13:01:57.07+00:00"| | ||
| |`cves`|Array[String]|Associated CVE IDs|[]| | ||
| XXX only 22 and 7 have multiple CVEs, might be simpler to enforce a CVE-per-record rule | ||
| XXX for both, all the CVEs are reserved but still empty, whats up? |
There was a problem hiding this comment.
it's CVE. We don't control that. /shrug
vuln/SCHEMA.md
Outdated
| XXX see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3743 for example | ||
|
|
||
| |`vulnerable_versions`|semver-spec|vulnerable versions?|"<99.999.9999"| | ||
| XXX What is exact syntax of semver-spec? Is it https://www.npmjs.com/package/semver#ranges ? |
There was a problem hiding this comment.
yes it uses the semver package and supports the ranges it supported (loose option was set)
vuln/SCHEMA.md
Outdated
| XXX What is exact syntax of semver-spec? Is it https://www.npmjs.com/package/semver#ranges ? | ||
|
|
||
| |`patched_versions`|semver-spec|versions after fixed?|"<0.0.0"| | ||
| XXX so vulnerable versions are `vulnerable_versions` MINUS `patched_versions`? And any other versions are assumed not vulnerable? |
vuln/SCHEMA.md
Outdated
| |`overview`|Multiline String|Long form description|"`badjs-sourcemap-server` recieves files sent by `badjs-sourcemap`.\n\n`badjs-sourcemap-server` is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing \"../\" in the url.\n\nExample request:\n```\nGET /../../../../../../etc/passwd HTTP/1.1\nhost:localhost\n```\nand response:\n```\nHTTP/1.1 200 OK\nDate: Wed, 17 May 2017 22:59:49 GMT\nConnection: keep-alive\nTransfer-Encoding: chunked\n\n{content of /etc/passwd}\n```"| | ||
| |`recommendation`|Multiline String|Recommendation for mitigation|"Because there is no fix for this module, we recommend using a different one."| | ||
| |`references`|String, multiline markdown bullet list|URLs of interest?|"* [PoC by Liang Gong](https://github.com/JacksonGL/NPM-Vuln-PoC/tree/master/directory-traversal/badjs-sourcemap-server)"| | ||
| XXX what is structure? do they have to be markdown URLs? |
There was a problem hiding this comment.
it's markdown formatted text.
vuln/SCHEMA.md
Outdated
|
|
||
| |`cvss_vector`|CVSS vector|CVSS vector|"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"| | ||
| |`cvss_score`|CVSS score|Calculated from vector|7.5| | ||
| XXX cvss v2? https://nvd.nist.gov/vuln-metrics/cvss/vector-v2 or https://www.first.org/cvss/v2/guide ? |
There was a problem hiding this comment.
I believe v2 - it uses this module https://www.npmjs.com/package/cvss
vuln/SCHEMA.md
Outdated
| XXX cvss v2? https://nvd.nist.gov/vuln-metrics/cvss/vector-v2 or https://www.first.org/cvss/v2/guide ? | ||
|
|
||
| |`coordinating_vendor`| "^Lift Security" | ||
| XXX Company who reported? But different from the author? Is coordination a thing, if so, what is coordinated? |
There was a problem hiding this comment.
For example. why should other vendors contributor and help with this process. It's not required but giving them credit for who help the disclosure process (hand holding) would be nice. I have a feeling we'll be sending a lot of stuff your way in the future and if it's already all buttoned up and written up it would be nice to give credit. Could be some other field though.
|
This is a first pass at finding the node security issues released, only 4.x and later. @evilpacket @grnd I'd be interested in opionions on the description and overview text, since I imagine that tools could be extended to detect the current version of node, and report and vulnerabilities associated with it from this information. I'm wondering about details such as active/passive voice, description of problem vs description of fix (node usually describes the fix, not the problem), and whether the description field should/should not be capitalized, be a full sentence. Or whether it doesn't matter. The data is currently in a text file for easy of updating (much easier than JSON), but I have a script locally that explodes it into JSON. I'll do one more pass on the data to check for quality and typos, but I'm a bit burnt out after 2 days of going through this, that will have to wait until next week when I'm back from vacation. |
vuln/core/README.txt
Outdated
|
|
||
| -- | ||
|
|
||
| CVE: XXX assigned, @mhdawson, what is it? |
vuln/core/README.txt
Outdated
|
|
||
| -- | ||
|
|
||
| XXX break into 4 records? |
There was a problem hiding this comment.
is breaking this into a record per CVE busy work, or does it make the data much easier to consume? I suspect the latter, I'll probably make sure that no record has more than a single CVE, that seems to be what rubysec does, but perhaps I misundertand the CVE purposes. Comments?
vuln/core/README.txt
Outdated
| code. This vulnerability would require an attacker to be able to execute | ||
| arbitrary JavaScript code in a Node.js process. | ||
|
|
||
| XXX This is not remote, why was it considered a security issue for node? |
There was a problem hiding this comment.
I will find the PR for this in a second pass and look for commentary by @nodejs/security
There was a problem hiding this comment.
There was a problem hiding this comment.
@bnoordhuis looking at the conversations, it looks to me that this V8 bug alone would probably not have triggered a security release, but since a security release was already happening (https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/) and it is a V8 bug, and 6.x was transitioning to LTS, it was easy to just bundle it in.
There was a problem hiding this comment.
Yes, that sounds about right.
vuln/core/README.txt
Outdated
|
|
||
| -- | ||
|
|
||
| XXX split into two records? |
There was a problem hiding this comment.
this seems like two related vulns, better to be two records with one CVE per record.
vuln/core/README.txt
Outdated
|
|
||
| -- | ||
|
|
||
| XXX this doesn't appear to be remote, is it a node vulnerability? |
There was a problem hiding this comment.
need to find why @nodejs/security called this a vuln, seems like it needs code access to me, though perhaps data can be injected?
There was a problem hiding this comment.
https://github.com/nodejs/security/issues/20 for context.
There was a problem hiding this comment.
OK, looks like its CVSS score indicated it was a vuln, and its possible to imagine data being injected which when stringified and returned would leak memory?
vuln/core/README.txt
Outdated
|
|
||
| -- | ||
|
|
||
| XXX this was NOT called a security release? |
There was a problem hiding this comment.
since this breaks a security guarantee, seems like it would deserve a CVE @nodejs/security
There was a problem hiding this comment.
this seems similarl to https://github.com/nodejs/security-wg/pull/35/files#r131361440, could be a vuln
|
@nodejs/security PTAL, does this reflect known vulnerabilities in node? The README.txt is probably easier to review, though I intend to delete it and the explode.js script and commit only the JSON vulnerabilities into the database. @nodejs/security-wg is the format of this useful? In particular, will it be useful to tools to allow them to report vulnerabilities not only in module dependencies, but also in the version of the node runtime itself? Can you think of a better naming convention than sequential IDs? Eventually, I hope to be able to apply for CVEs for them all, but that won't happen very quickly. |
sam-github
changed the title
gibfahn
left a comment
gibfahn
left a comment
There was a problem hiding this comment.
Hard to say how useful it is, that depends on what tools target it. But I'd say it's fairly useful just as a list to manually parse.
vuln/core/1.json
Outdated
| ], | ||
| "ref": "https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/", | ||
| "vulnerable": "8.x, 7.x, 4.x, 6.x, 5.x", | ||
| "patched": "^8.1.4, ^7.10.1, ^4.8.4, ^6.11.1", |
There was a problem hiding this comment.
Would an array make more sense than a , separated list here?
There was a problem hiding this comment.
I don't think so, this is consistent with the version spec formats in the package.json engine field, and also with usage of https://github.com/npm/node-semver#usage, which is how it will probably be used. at least, its intended to be compatible with node-semver, I'll do a check.
There was a problem hiding this comment.
It wasn't correct, a logical OR needs ||, not , . Fixed.
| "vulnerable": "6.x", | ||
| "patched": "^6.9.0", | ||
| "ref": "https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/ for", | ||
| "author": "Jann Horn", |
There was a problem hiding this comment.
Ref #35 (comment), changing author to something else seems like a good idea.
Maybe reporter?
There was a problem hiding this comment.
Reasonably, but that should happen first in #34, and then applied to vuln/core as well as vuln/npm
PR-URL: #35 Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
|
landed in c7041cd |
PR-URL: nodejs/security-wg#35 Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
PR-URL: nodejs/security-wg#35 Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
4 participants
These will be reformatted into JSON, just PRing early so what I'm
working on is visible.
Depends on #34