Vulnerabilities introduced by package node-forge and @firebase/util

[paimon0715]

Hi ,@hiranya911, @lahirumaramba , there are two vulnerabilities introduced in your package:

Issue Description

Vulnerabilities CVE-2020-7720 detected in package node-forge<0.10.0 and CVE-2020-7765 detected in package @firebase/util<0.3.4 are referenced by firebase-admin@8.13.0. We noticed that the vulnerabilities has been removed since firebase-admin@9.2.0.

However, firebase-admin's popular previous version firebase-admin@8.13.0 (78,863 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 498 downstream projects, e.g., @paperbits/firebase 0.1.429, dblibrary 1.338.0, @endran/firebridge 2.0.0, firestore-to-bigquery-export 1.7.2, @meditect/geofirestore-clustering-js 1.0.8, multi-db-orm@1.0.8, node-paytmpg@2.0.4, etc.).
As such, issue CVE-2020-7720 and CVE-2020-7765 can be propagated into these downstream projects and expose security threats to them.

These projects cannot easily upgrade firebase-admin from version 8.13.0 to (>=9.2.0) For instance, firebase-admin@8.13.0 is introduced into the above projects via the following package dependency paths:
(1)multi-db-orm@1.0.8 ➔ node-firestore-import-export@1.1.0 ➔ firebase-admin@8.13.0 ➔ node-forge@0.7.6
(2) node-paytmpg@2.0.4 ➔ multi-db-orm@1.0.8 ➔ node-firestore-import-export@1.1.0 ➔ firebase-admin@8.13.0 ➔ node-forge@0.7.6
(3) multi-db-orm@1.0.8 ➔ node-firestore-import-export@1.1.0 ➔ firebase-admin@8.13.0 ➔ @firebase/database@0.6.13 ➔ @firebase/component@0.1.19 ➔ @firebase/util@0.3.2
......

The projects such as node-firestore-import-export, which introduced firebase-admin@8.13.0, are not maintained anymore. These unmaintained packages can neither upgrade firebase-admin nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package firebase-admin@8.13.0?

Suggested Solution

Since these unactive projects set a version constaint 8.13.0 for firebase-admin on the above vulnerable dependency paths, if firebase-admin removes the vulnerability from 8.13.0 and releases a new patched version firebase-admin@8.13.1, such a vulnerability patch can be automatically propagated into the 498 affected downstream projects.

In firebase-admin@8.13.1, you can kindly try to perform the following upgrade:
(1)node-forge ^0.7.6 ➔ ^0.10.0;
(2)@firebase/database ^0.6.0 ➔ ^0.7.1;
Note:
node-forge@0.10.0(>=0.10.0) has fixed the vulnerability (CVE-2020-7720);
@firebase/database@0.7.1(>=0.7.1) transitively depends on @firebase/util@0.3.4(a vulnerability CVE-2020-7765 patched version)

Thanks again for your contributions.

Best regards,
Paimon

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[hiranya911]

Thanks for bug report @paimon0715. We don't usually release patches for previous major versions, and our release processes are not even set up for that type of maintenance work (e.g. we don't have a v8 branch to perform further development on). I'll chat with the team and see if we can make an exception in this one instance.

[paimon0715]

@hiranya911 Thank you very much for your help.

I'll chat with the team and see if we can make an exception in this one instance.
This is my honor.

[hiranya911]

Hi @paimon0715. I discussed this with the rest of our team, and the consensus was that the risk of breaking something with a new point release is not worth the potential benefits. Therefore we are not going to do another v8 point release at this stage. As for the security issues, I don't think either of the mentioned vulnerabilities actually affect the Admin SDK. We do not call the vulnerable functions mentioned in the CVEs (util.setPath() in node-forge and deepExtend() in firebase-util). And since the Admin SDK is usually deployed in backend environments, developers also have more control over their code and the dependencies to mitigate any additional risks.

I would also recommend reporting an issue (or even submit a PR) at https://github.com/jloosli/node-firestore-import-export to see if we can get them to upgrade, since this seems to be what's pulling the old Admin SDK version into developer's projects in most cases.