Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable Dependency: macaddress #4479

Closed
leogonzalez opened this issue May 17, 2018 · 7 comments
Closed

Vulnerable Dependency: macaddress #4479

leogonzalez opened this issue May 17, 2018 · 7 comments

Comments

@leogonzalez
Copy link

Hi, apologies if this isn't the right place for this.

Using create-react-app and running npm audit (available as npm 6) returns a vulnerable dependency report with Critical tag:

=== npm audit security report ===

Package: macaddress
Dependency of: react-scripts
Path: react-scripts > css-loader > cssnano > postcss-filter-plugins > uniqid > macaddress
More info: https://nodesecurity.io/advisories/654
@Gnito Gnito mentioned this issue May 17, 2018
Merged
@barbalex
Copy link

npm audit outputs:

Run  npm install --dev [email protected]  to resolve 1 vulnerability

But according to #3815 the newest version is 2.0.0-next.66cc7a90.

What version should I install?

@gaearon
Copy link
Contributor

gaearon commented May 18, 2018

From the vulnerability description you linked to:

For this vulnerability to be exploited an attacker needs to control the iface argument to the one method.

If you look at the code for uniqid you'll see this is not the case.

So there is no actual vulnerability you're being exposed to.

Feel free to send us a PR that bumps the package version when downstream packages stop using the vulnerable one but there is no issue that we need to address on our side.

@gaearon gaearon closed this as completed May 18, 2018
@iansu iansu mentioned this issue May 18, 2018
Closed
@rwschmitz rwschmitz mentioned this issue May 18, 2018
Closed
@gabrielflorit gabrielflorit mentioned this issue May 20, 2018
Closed
2 tasks
@gaearon gaearon mentioned this issue May 20, 2018
Closed
@gabimoncha
Copy link

For this vulnerability to be exploited an attacker needs to control the iface argument to the one method
@gaearon can you explain what this means?

@gaearon
Copy link
Contributor

gaearon commented May 22, 2018

It’s said here:

https://nodesecurity.io/advisories/654

For this vulnerability to be exploited an attacker needs to control the iface argument to the one method.

The macaddress package exports a method called one that takes a single argument. If that argument was supplied by an attacker they could trigger the vulnerability. However, in our case that argument is hardcoded in the uniq implementation I linked to above:

// ...
var mac = typeof __webpack_require__ !== 'function' ? require('macaddress').one(macHandler) : null ;
// ...
function macHandler(error){
  // ...
}

It’s not based on user input and can’t be controlled by an attacker. So there is no vulnerability in this case.

Does this explanation help?

@gabimoncha
Copy link

@gaearon you were really helpful !

@minyc510
Copy link

Hello, just commenting to report that I had the same issue and npm advised me to run
npm update postcss-filter-plugins --depth 4

Which did the trick.

@gaearon
Copy link
Contributor

gaearon commented May 23, 2018

Stuff will break if you start updating internal packages without ejecting. You’ve been warned :-)

Going to lock this thread because there’s no actionable thing here for us. I’ll see if we can bump the dependency in 1.x branch. But again, there’s no real vulnerability here and you’re wasting effort trying to fix it.

@facebook facebook locked and limited conversation to collaborators May 23, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@barbalex @gaearon @leogonzalez @minyc510 @gabimoncha