-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
collecting info on node vulnerabilities #35
Conversation
So far I have just scraped the changelogs from 8.x back to and including 4.x, no further, now I have to read through in more detail and organize the issues into individual records and then into the JSON schema. |
vuln/SCHEMA.md
Outdated
|-----|------|-------------|---------| | ||
|`id`|Integer > 0|Unique number identifying the record|349| | ||
|`created_at`|date-time|Record creation|"2017-05-19T22:45:59.16+00:00"| | ||
XXX do we need this, or is it just a mongo internal field? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was our identifier. You don't have to keep this. It was a postgres integer incrementing when we added vulns.
vuln/SCHEMA.md
Outdated
XXX do we need this, or is it just a mongo internal field? | ||
|
||
|`updated_at`|date-time|Record update|"2017-06-05T13:01:57.071+00:00"| | ||
XXX do we need this, or is it just a mongo internal field? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are date fields that are useful. I'd keep them but it's totally up to you.
vuln/SCHEMA.md
Outdated
|
||
|`title`|String|Short readable description|"Directory Traversal"| | ||
|`author`|String|Finder of vuln|"Liang Gong"| | ||
XXX what if reporter was not finder? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 to changing this name, we never did because of legacy support but yes I'd change it and possibly add other fields to give appropriate credit such as who authored the advisory, who found the issue, etc.
vuln/SCHEMA.md
Outdated
|`publish_date`|date-time|when made public|"2017-06-05T13:01:57.07+00:00"| | ||
|`cves`|Array[String]|Associated CVE IDs|[]| | ||
XXX only 22 and 7 have multiple CVEs, might be simpler to enforce a CVE-per-record rule | ||
XXX for both, all the CVEs are reserved but still empty, whats up? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's CVE. We don't control that. /shrug
vuln/SCHEMA.md
Outdated
XXX see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3743 for example | ||
|
||
|`vulnerable_versions`|semver-spec|vulnerable versions?|"<99.999.9999"| | ||
XXX What is exact syntax of semver-spec? Is it https://www.npmjs.com/package/semver#ranges ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes it uses the semver package and supports the ranges it supported (loose option was set)
vuln/SCHEMA.md
Outdated
XXX What is exact syntax of semver-spec? Is it https://www.npmjs.com/package/semver#ranges ? | ||
|
||
|`patched_versions`|semver-spec|versions after fixed?|"<0.0.0"| | ||
XXX so vulnerable versions are `vulnerable_versions` MINUS `patched_versions`? And any other versions are assumed not vulnerable? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
correct
vuln/SCHEMA.md
Outdated
|`overview`|Multiline String|Long form description|"`badjs-sourcemap-server` recieves files sent by `badjs-sourcemap`.\n\n`badjs-sourcemap-server` is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing \"../\" in the url.\n\nExample request:\n```\nGET /../../../../../../etc/passwd HTTP/1.1\nhost:localhost\n```\nand response:\n```\nHTTP/1.1 200 OK\nDate: Wed, 17 May 2017 22:59:49 GMT\nConnection: keep-alive\nTransfer-Encoding: chunked\n\n{content of /etc/passwd}\n```"| | ||
|`recommendation`|Multiline String|Recommendation for mitigation|"Because there is no fix for this module, we recommend using a different one."| | ||
|`references`|String, multiline markdown bullet list|URLs of interest?|"* [PoC by Liang Gong](https://github.com/JacksonGL/NPM-Vuln-PoC/tree/master/directory-traversal/badjs-sourcemap-server)"| | ||
XXX what is structure? do they have to be markdown URLs? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's markdown formatted text.
vuln/SCHEMA.md
Outdated
|
||
|`cvss_vector`|CVSS vector|CVSS vector|"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"| | ||
|`cvss_score`|CVSS score|Calculated from vector|7.5| | ||
XXX cvss v2? https://nvd.nist.gov/vuln-metrics/cvss/vector-v2 or https://www.first.org/cvss/v2/guide ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe v2 - it uses this module https://www.npmjs.com/package/cvss
vuln/SCHEMA.md
Outdated
XXX cvss v2? https://nvd.nist.gov/vuln-metrics/cvss/vector-v2 or https://www.first.org/cvss/v2/guide ? | ||
|
||
|`coordinating_vendor`| "^Lift Security" | ||
XXX Company who reported? But different from the author? Is coordination a thing, if so, what is coordinated? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For example. why should other vendors contributor and help with this process. It's not required but giving them credit for who help the disclosure process (hand holding) would be nice. I have a feeling we'll be sending a lot of stuff your way in the future and if it's already all buttoned up and written up it would be nice to give credit. Could be some other field though.
This is a first pass at finding the node security issues released, only 4.x and later. @evilpacket @grnd I'd be interested in opionions on the description and overview text, since I imagine that tools could be extended to detect the current version of node, and report and vulnerabilities associated with it from this information. I'm wondering about details such as active/passive voice, description of problem vs description of fix (node usually describes the fix, not the problem), and whether the description field should/should not be capitalized, be a full sentence. Or whether it doesn't matter. The data is currently in a text file for easy of updating (much easier than JSON), but I have a script locally that explodes it into JSON. I'll do one more pass on the data to check for quality and typos, but I'm a bit burnt out after 2 days of going through this, that will have to wait until next week when I'm back from vacation. |
vuln/core/README.txt
Outdated
|
||
-- | ||
|
||
CVE: XXX assigned, @mhdawson, what is it? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
vuln/core/README.txt
Outdated
|
||
-- | ||
|
||
XXX break into 4 records? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is breaking this into a record per CVE busy work, or does it make the data much easier to consume? I suspect the latter, I'll probably make sure that no record has more than a single CVE, that seems to be what rubysec does, but perhaps I misundertand the CVE purposes. Comments?
vuln/core/README.txt
Outdated
code. This vulnerability would require an attacker to be able to execute | ||
arbitrary JavaScript code in a Node.js process. | ||
|
||
XXX This is not remote, why was it considered a security issue for node? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will find the PR for this in a second pass and look for commentary by @nodejs/security
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bnoordhuis looking at the conversations, it looks to me that this V8 bug alone would probably not have triggered a security release, but since a security release was already happening (https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/) and it is a V8 bug, and 6.x was transitioning to LTS, it was easy to just bundle it in.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that sounds about right.
vuln/core/README.txt
Outdated
|
||
-- | ||
|
||
XXX split into two records? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this seems like two related vulns, better to be two records with one CVE per record.
vuln/core/README.txt
Outdated
|
||
-- | ||
|
||
XXX this doesn't appear to be remote, is it a node vulnerability? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
need to find why @nodejs/security called this a vuln, seems like it needs code access to me, though perhaps data can be injected?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://github.com/nodejs/security/issues/20 for context.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, looks like its CVSS score indicated it was a vuln, and its possible to imagine data being injected which when stringified and returned would leak memory?
vuln/core/README.txt
Outdated
|
||
-- | ||
|
||
XXX this was NOT called a security release? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
since this breaks a security guarantee, seems like it would deserve a CVE @nodejs/security
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this seems similarl to https://github.com/nodejs/security-wg/pull/35/files#r131361440, could be a vuln
@nodejs/security PTAL, does this reflect known vulnerabilities in node? The README.txt is probably easier to review, though I intend to delete it and the explode.js script and commit only the JSON vulnerabilities into the database. @nodejs/security-wg is the format of this useful? In particular, will it be useful to tools to allow them to report vulnerabilities not only in module dependencies, but also in the version of the node runtime itself? Can you think of a better naming convention than sequential IDs? Eventually, I hope to be able to apply for CVEs for them all, but that won't happen very quickly. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hard to say how useful it is, that depends on what tools target it. But I'd say it's fairly useful just as a list to manually parse.
vuln/core/1.json
Outdated
], | ||
"ref": "https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/", | ||
"vulnerable": "8.x, 7.x, 4.x, 6.x, 5.x", | ||
"patched": "^8.1.4, ^7.10.1, ^4.8.4, ^6.11.1", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would an array make more sense than a ,
separated list here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think so, this is consistent with the version spec formats in the package.json engine field, and also with usage of https://github.com/npm/node-semver#usage, which is how it will probably be used. at least, its intended to be compatible with node-semver, I'll do a check.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It wasn't correct, a logical OR needs ||
, not ,
. Fixed.
"vulnerable": "6.x", | ||
"patched": "^6.9.0", | ||
"ref": "https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/ for", | ||
"author": "Jann Horn", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ref #35 (comment), changing author
to something else seems like a good idea.
Maybe reporter
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reasonably, but that should happen first in #34, and then applied to vuln/core as well as vuln/npm
PR-URL: #35 Reviewed-By: Gibson Fahnestock <[email protected]>
landed in c7041cd |
PR-URL: nodejs/security-wg#35 Reviewed-By: Gibson Fahnestock <[email protected]>
PR-URL: nodejs/security-wg#35 Reviewed-By: Gibson Fahnestock <[email protected]>
These will be reformatted into JSON, just PRing early so what I'm
working on is visible.
Depends on #34