Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Need to update jsprim due to vulnerability in json-schema #123

Closed
WilliamHolmes opened this issue Nov 15, 2021 · 3 comments
Closed

Need to update jsprim due to vulnerability in json-schema #123

WilliamHolmes opened this issue Nov 15, 2021 · 3 comments

Comments

@WilliamHolmes
Copy link

json-schema has a vulnerability which is included in older versions of jsprim.

jsprim is currently as 2.0.1

@bahamat
Copy link
Member

bahamat commented Nov 17, 2021

I just updated jsprim to 2.0.2 a few minutes ago to address this in that package.

Testing of http-signature on node 0.10 with jsprim updated to 2.0.2:

diff --git a/package.json b/package.json
index 42500ab..c278e85 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "http-signature",
   "description": "Reference implementation of Joyent's HTTP Signature scheme.",
-  "version": "1.3.5",
+  "version": "1.3.6",
   "license": "MIT",
   "author": "Joyent, Inc",
   "contributors": [
@@ -31,7 +31,7 @@
   },
   "dependencies": {
     "assert-plus": "^1.0.0",
-    "jsprim": "^1.2.2",
+    "jsprim": "^2.0.2",
     "sshpk": "^1.14.1"
   },
   "devDependencies": {
[root@node-tester ~/src/node-http-signature]# make test
npm install
TAP=1 ./node_modules/.bin/tap test/*.test.js
TAP version 13
# convert.test.js
# TAP version 13
# 1024b pem to rsa ssh key
ok 1 should be equal
# 2048b pem to rsa ssh key
ok 2 should be equal
# 4096b pem to rsa ssh key
ok 3 should be equal
# 1024b rsa ssh key
ok 4 should be equal
# 2048b rsa ssh key
ok 5 should be equal
# 4096b rsa ssh key
ok 6 should be equal
# 1024b dsa ssh key
ok 7 should be equal
# fingerprint
ok 8 should be equal
# tests 8
# pass  8
# ok
ok 9 test/convert.test.js

# examples.test.js
# TAP version 13
# read in doc
# find keys and examples
# tests 0
# ok
ok 10 test/examples.test.js

# header.test.js
# TAP version 13
# setup
ok 11 (unnamed assert)
# > Signature keyId="unit",algorithm="rsa-sha256",headers="date request-line content-length",signature="oSwbRe6Ed78lu3xKah7ZK/T5K9DdM4dtGs7TA7lCzhqqoIf8xKiwGIR7BkjUb07xs9NhmGpWCAPd9yBC6b7lURLqemOiIjBvT8f3vtj54/vpLcrQl2rgGcjggDXpfGE3CzA28y0rcXIer6gkCvwjT/KL+Eu+f3zuHZexiHntjTE="
# header with 0 value
ok 12 (unnamed assert)
ok 13 (unnamed assert)
# > Signature keyId="unit",algorithm="rsa-sha256",headers="date x-foo",signature="eJqjL3xGQaHZ+lrICae+qolAZio3fT1jk1DPU1HLu6DSZPiPaDEaEu6E4Kst2v+dMwZ99JJss4RcWC3czxn56/sg/DNRhw4ZZPqtp06Y0K/wmpV4FAxkdlCc0HLU+kSC95uUki6FJE7Q8sNo837xNNbHohrGOu/Mddn4klW6qWM="
# header with boolean-mungable value
ok 14 (unnamed assert)
ok 15 (unnamed assert)
# tear down
# tests 5
# pass  5
# ok
ok 16 test/header.test.js

# parser.test.js
# TAP version 13
# setup
# no authorization
ok 17 should be equal
ok 18 should be equal
# bad scheme
ok 19 should be equal
ok 20 should be equal
ok 21 should be equal
# no key id
ok 22 should be equal
ok 23 should be equal
ok 24 should be equal
# key id no value
ok 25 should be equal
ok 26 should be equal
ok 27 should be equal
# key id no quotes
ok 28 should be equal
ok 29 should be equal
ok 30 should be equal
# key id param quotes
ok 31 should be equal
ok 32 should be equal
ok 33 should be equal
# param name with space
ok 34 should be equal
ok 35 should be equal
ok 36 should be equal
# no algorithm
ok 37 should be equal
ok 38 should be equal
ok 39 should be equal
# algorithm no value
ok 40 should be equal
ok 41 should be equal
ok 42 should be equal
# no signature
ok 43 should be equal
ok 44 should be equal
ok 45 should be equal
# invalid algorithm
ok 46 should be equal
ok 47 should be equal
ok 48 should be equal
# no date header
ok 49 should be equal
ok 50 should be equal
ok 51 should be equal
# valid numeric parameter
ok 52 should be equal
# invalid numeric parameter
ok 53 should be equal
ok 54 should be equal
ok 55 should be equal
# invalid numeric parameter - decimal
ok 56 should be equal
ok 57 should be equal
ok 58 should be equal
# invalid numeric parameter - signed integer
ok 59 should be equal
ok 60 should be equal
ok 61 should be equal
# created in future
ok 62 should be equal
ok 63 should be similar
ok 64 should be equal
# expires expired
ok 65 should be equal
ok 66 should be similar
ok 67 should be equal
# valid created and expires with skew
ok 68 should be equal
# valid default headers
ok 69 should be equal
# valid custom authorizationHeaderName
ok 70 should be equal
# explicit headers missing
ok 71 should be equal
# {
# }
# valid explicit headers request-line
ok 72 should be equal
ok 73 (unnamed assert)
ok 74 should be equal
ok 75 (unnamed assert)
ok 76 should be equal
ok 77 should be equal
ok 78 should be equal
ok 79 (unnamed assert)
ok 80 should be equal
ok 81 should be equal
ok 82 should be equal
ok 83 should be equal
ok 84 should be equal
ok 85 (unnamed assert)
ok 86 should be equal
ok 87 should be equal
ok 88 should be equal
# valid explicit headers request-line strict true
ok 89 should be equal
ok 90 should be equal
ok 91 should be equal
# {
# }
# valid explicit headers request-target
ok 92 should be equal
ok 93 (unnamed assert)
ok 94 should be equal
ok 95 (unnamed assert)
ok 96 should be equal
ok 97 should be equal
ok 98 should be equal
ok 99 (unnamed assert)
ok 100 should be equal
ok 101 should be equal
ok 102 should be equal
ok 103 should be equal
ok 104 should be equal
ok 105 (unnamed assert)
ok 106 should be equal
ok 107 should be equal
ok 108 should be equal
# expired
ok 109 should be equal
# missing required header
ok 110 should be equal
ok 111 should be equal
ok 112 should be equal
# valid mixed case headers
ok 113 should be equal
# not whitelisted algorithm
ok 114 should be equal
ok 115 should be equal
ok 116 should be equal
# tearDown
# tests 100
# pass  100
# ok
ok 117 test/parser.test.js

# signer.test.js
# TAP version 13
# setup
ok 118 (unnamed assert)
ok 119 (unnamed assert)
ok 120 (unnamed assert)
ok 121 (unnamed assert)
# > Signature keyId="unitTest",algorithm="rsa-sha256",signature="PgmDcqnyvGMCBUjcj6UfJuKMoHecXH/+okqSVpjJW8TujArAE6AXQuS8v323+9Uxm7wzhnj+eHW8emgG8ehxi+bQqBXArBoOeyEylx8F16dqjhdxGN798PcUjpqHI1XlHiVacf2xhJzwhs6HUeUz0ef1z81IagOkdIolqauXuRI="
# defaults
ok 122 (unnamed assert)
ok 123 (unnamed assert)
ok 124 should be equal
ok 125 (unnamed assert)
ok 126 (unnamed assert)
# > Signature keyId="unitTest",algorithm="rsa-sha256",signature="PgmDcqnyvGMCBUjcj6UfJuKMoHecXH/+okqSVpjJW8TujArAE6AXQuS8v323+9Uxm7wzhnj+eHW8emgG8ehxi+bQqBXArBoOeyEylx8F16dqjhdxGN798PcUjpqHI1XlHiVacf2xhJzwhs6HUeUz0ef1z81IagOkdIolqauXuRI="
# with custom authorizationHeaderName
ok 127 (unnamed assert)
ok 128 (unnamed assert)
ok 129 should be equal
ok 130 (unnamed assert)
ok 131 (unnamed assert)
# > Signature keyId="unit",algorithm="rsa-sha256",headers="date request-line",signature="gAsWbHHP+0XdUBGXLZMXmGjpbfvLmzxjBgGz56ZbAErJltQz0tpDZmaIrKtFSGhPU8mbA9Q+TMcuH0V7yj9rnFyusA+XJRUiYcYhnHY9vx/622J8vrKPR6XPn9rReCDfoGr4vSnHE1pKDMdw3G5mNaENAakSfil1Eu/Z8GROtq8="
# request line strict unspecified
ok 132 (unnamed assert)
ok 133 (unnamed assert)
ok 134 should be equal
ok 135 (unnamed assert)
# > Signature keyId="unit",algorithm="rsa-sha256",headers="date request-line",signature="gAsWbHHP+0XdUBGXLZMXmGjpbfvLmzxjBgGz56ZbAErJltQz0tpDZmaIrKtFSGhPU8mbA9Q+TMcuH0V7yj9rnFyusA+XJRUiYcYhnHY9vx/622J8vrKPR6XPn9rReCDfoGr4vSnHE1pKDMdw3G5mNaENAakSfil1Eu/Z8GROtq8="
# request line strict false
ok 136 (unnamed assert)
ok 137 (unnamed assert)
ok 138 (unnamed assert)
ok 139 (unnamed assert)
# request line strict true
ok 140 Expected to throw
# > Signature keyId="unit",algorithm="rsa-sha256",headers="date (request-target)",signature="Rddbzx9JiPHGKiklsampIu5Ggc+Rs6vp3JWtZVTb8OqaMpkNTSKCQX0bWpqGoZvq1frrWT9DYBYFabCTJhrGqGX0R2io4pn007SwkPvMG8L5akdduFqQD726Hc7Nkuyaw4cbABDJoMTbbLP88pr8h6XdCaDNERINP6J8smUsy/Q="
# request target
ok 141 (unnamed assert)
ok 142 (unnamed assert)
ok 143 should be equal
ok 144 (unnamed assert)
# > Signature keyId="unit",algorithm="rsa-sha256",headers="date (keyid)",signature="O6s9ES35zfqg7MrdZwjN/qcXQUr5zLsN5vpCjIGI557mhu9qzdwX3PJtCNCaCZzkJJEA2tayUrpW91nUwDRaWGTipWqfDtRum6Tx/xlw6nUZygDqJ8yXntSc619zfBZOdlrLmP8xwy7PFs/w9ivqL1DrjxS9LaqGZGGji2cez8s="
# keyid
ok 145 (unnamed assert)
ok 146 (unnamed assert)
ok 147 should be equal
ok 148 (unnamed assert)
# > Signature keyId="unit",algorithm="rsa-sha256",headers="date (algorithm)",signature="rhjNmRxDYmx0OnbhsdCS8afhuvkZ7GSRKZ5J8MUC/+RQFALw1u+b/IuvAKFLfboRiOX6WKwEHRuCxA7Ve7zophJ7PTZ5kvedNY6sYISQhvfgLiN7Niw5NzlEKf/foC7lvfgCkFj0du0lWiGC1OTsPisXnfZaItEicCb1r2kOflw="
# signing algorithm
ok 149 (unnamed assert)
ok 150 (unnamed assert)
ok 151 should be equal
ok 152 should be equal
ok 153 should be equal
ok 154 (unnamed assert)
# > Signature keyId="unit",algorithm="rsa-sha256",headers="date (algorithm)",signature="rhjNmRxDYmx0OnbhsdCS8afhuvkZ7GSRKZ5J8MUC/+RQFALw1u+b/IuvAKFLfboRiOX6WKwEHRuCxA7Ve7zophJ7PTZ5kvedNY6sYISQhvfgLiN7Niw5NzlEKf/foC7lvfgCkFj0du0lWiGC1OTsPisXnfZaItEicCb1r2kOflw="
# signing with unspecified algorithm
ok 155 (unnamed assert)
ok 156 (unnamed assert)
ok 157 should be equal
ok 158 should be equal
ok 159 (unnamed assert)
# > Signature keyId="unit",algorithm="rsa-sha256",opaque="opaque",headers="date (opaque)",signature="bvICmKJgnB6kciRWSWEsygBGmf5m6PIwZahBpghq87Ivat2g4P1et5ZvkKO7+7M+cBKG6cpX6gWBtJ75HU+Ca4tkRzDky6vrFIROlBlju5zELr7tLj1Z6FY21TBxuh+Jx23h+YbzIL7vjJWI9gb5ghmxkmvk3ojJf2aLpQTIHho="
# signing opaque param
ok 160 (unnamed assert)
ok 161 (unnamed assert)
ok 162 should be equal
ok 163 should be equal
ok 164 (unnamed assert)
# > Signature keyId="unit",algorithm="rsa-sha256",headers="date (algorithm)",signature="ROMt51x1aZqlTpyAlfy1xb9jcRrmyRpPYolbGAmZk8l7wpC6eSc4x0OpmPp1ZvsPRm5S6zLm9DufL1Ey3yApVGbBogHZWGwgRvfMIc6lWR7+U9WMTLRFallIq9YoFqBNfY2yTfA9vaEx+Ew7+Ai2lmJrLpaP/3YuRjZMII88zoY="
# signing with key protected with passphrase
ok 165 (unnamed assert)
ok 166 (unnamed assert)
ok 167 should be equal
ok 168 should be equal
ok 169 (unnamed assert)
# > Signature keyId="unit",algorithm="dsa-sha1",headers="date (request-target)",signature="MCwCFFG37hj+0QXdsRNrxcfUB4y5mrsZAhRLeEKhZlJ3atgV+tQ/pS8gqJ2zaA=="
# request-target with dsa key
ok 170 (unnamed assert)
ok 171 (unnamed assert)
# > Signature keyId="unit",algorithm="ecdsa-sha256",headers="date (request-target)",signature="MEQCIHUaCooOElk1ChatOOfcbMZWrKVcAys13k3dXIrJBRQMAiAoDFUefFrMDRtJszA6f9OQoapFaz8IW//kMoGxF0IXkw=="
# request-target with ecdsa key
ok 172 (unnamed assert)
ok 173 (unnamed assert)
# > Signature keyId="unit",algorithm="hmac-sha1",signature="i0+OKV5oXxsb6hZlxL0+8ZDaCRc="
# hmac
ok 174 (unnamed assert)
ok 175 (unnamed assert)
# > Signature keyId="foo",algorithm="rsa-sha1",headers="(request-target) date",signature="Cs9jW5ivjocnWnnw4E6td/9RxMokP8qDSXvF4/XFOU1OSurwzr0DOYxBldq4ijXylNMwCCmdUvJJtZcUFpxeWsLZ51lGD3rATp6sSyeDrkoYeZBD1MVQg1ypV311Mt+Xa8ucjNuC0/u/S0SOD3YEO9swRUbiYR9IktnEPlmMTPs="
# createSigner with RSA key
ok 176 (unnamed assert)
# createSigner with RSA key, auto algo
ok 177 (unnamed assert)
# createSigner with RSA key, auto algo, passphrase
ok 178 (unnamed assert)
# createSigner with HMAC key
ok 179 (unnamed assert)
# createSigner with sign function
ok 180 (unnamed assert)
ok 181 (unnamed assert)
ok 182 should be equal
ok 183 (unnamed assert)
ok 184 (unnamed assert)
# tear down
# tests 67
# pass  67
# ok
ok 185 test/signer.test.js

# verify.test.js
# TAP version 13
# setup
ok 186 (unnamed assert)
ok 187 (unnamed assert)
ok 188 (unnamed assert)
ok 189 (unnamed assert)
ok 190 (unnamed assert)
ok 191 (unnamed assert)
# invalid hmac
ok 192 (unnamed assert)
ok 193 should be equal
# valid hmac
ok 194 (unnamed assert)
ok 195 should be equal
# invalid raw hmac
ok 196 (unnamed assert)
ok 197 should be equal
# valid raw hmac
ok 198 (unnamed assert)
ok 199 should be equal
# invalid rsa
ok 200 (unnamed assert)
ok 201 should be equal
# valid rsa
ok 202 (unnamed assert)
ok 203 should be equal
# invalid dsa
ok 204 (unnamed assert)
ok 205 should be equal
# valid dsa
ok 206 (unnamed assert)
ok 207 should be equal
# invalid ecdsa
ok 208 (unnamed assert)
ok 209 should be equal
# valid ecdsa
ok 210 (unnamed assert)
ok 211 should be equal
# invalid date
ok 212 Expected to throw
ok 213 should be equal
# valid rsa from spec default
ok 214 (unnamed assert)
ok 215 (unnamed assert)
ok 216 should be equal
# valid rsa from spec default
ok 217 (unnamed assert)
ok 218 (unnamed assert)
ok 219 should be equal
# valid rsa from spec all headers
ok 220 (unnamed assert)
ok 221 (unnamed assert)
ok 222 should be equal
# valid rsa from spec all headers (request-target)
ok 223 (unnamed assert)
ok 224 (unnamed assert)
ok 225 should be equal
# tear down
# tests 40
# pass  40
# ok
ok 226 test/verify.test.js


1..226
# tests 226
# pass  226

# ok

@bahamat bahamat changed the title Need to update jsprim due to vulnerability in its sub package Need to update jsprim due to vulnerability in json-schema Nov 17, 2021
bahamat added a commit that referenced this issue Nov 17, 2021
@bahamat
Copy link
Member

bahamat commented Nov 17, 2021

Fixed in 391fbe4 (#125)

@snyamathi
Copy link

@bahamat I know this an oddball request, but if it's possible to backport this patch to ~1.2.x that would allow anyone using request to pick up this fix as well.

I know that request is deprecated, but it's still very popular with ~17 million weekly downloads.

Ideally request would have specified ^1.2.0, but they have ~1.2.0 which means that this fix is out of range.


I certainly wouldn't blame you for not wanting to backport this, but a whole lot of people on the internet would appreciate you for it :)

leoschweizer pushed a commit to fjuul/node-http-signature that referenced this issue Nov 19, 2021
…on-schema (TritonDataCenter#125) (#5)

Reviewed by: BruceHaley <[email protected]>
Reviewed by: Dan McDonald <[email protected]>

Co-authored-by: Brian Bennett <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants