Skip to content

Commit

Permalink
fix(security): the CVE-2022-2421 - upgrade socket.io-parser to >=4.2.1
Browse files Browse the repository at this point in the history
Project-wide update of socket-io was necessary to 4.5.4 because of its
transitive dependence on socket.io-parser.

To completely get rid of all instances of the vulnerable versions,
we also have to upgrade the example application's Angular versions:

- Upgraded Artillery from v1.7.1 to v1.7.9

Depends on hyperledger-cacti#2229

Fixes hyperledger-cacti#2228

Signed-off-by: Peter Somogyvari <[email protected]>
  • Loading branch information
petermetz committed Jul 16, 2023
1 parent 759f305 commit b68a5d6
Show file tree
Hide file tree
Showing 24 changed files with 328 additions and 224 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
},
"dependencies": {
"escape-html": "1.0.3",
"socket.io": "4.4.1"
"socket.io": "4.5.4"
},
"devDependencies": {
"@types/escape-html": "1.0.1",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
"log4js": "6.4.0",
"morgan": "1.9.1",
"shelljs": "0.8.5",
"socket.io": "4.4.1",
"socket.io": "4.5.4",
"ts-node": "8.9.1",
"web3": "1.8.1",
"xmlhttprequest": "1.8.0"
Expand Down
2 changes: 1 addition & 1 deletion examples/cactus-example-electricity-trade/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
"log4js": "6.4.0",
"morgan": "1.9.1",
"shelljs": "0.8.5",
"socket.io": "4.4.1",
"socket.io": "4.5.4",
"ts-node": "8.9.1",
"web3": "1.8.1",
"xmlhttprequest": "1.8.0"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"ethereumjs-tx": "2.1.2",
"ts-node": "9.1.1",
"web3": "1.8.1",
"socket.io": "4.4.1"
"socket.io": "4.5.4"
},
"devDependencies": {
"typescript": "3.9.10"
Expand Down
4 changes: 2 additions & 2 deletions examples/cactus-example-tcs-huawei/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
"log4js": "6.4.0",
"morgan": "1.9.1",
"shelljs": "0.8.5",
"socket.io": "4.4.1",
"socket.io": "4.5.4",
"ts-node": "8.9.1",
"web3": "1.7.0",
"xmlhttprequest": "1.8.0"
Expand All @@ -43,4 +43,4 @@
"eslint-plugin-prettier": "4.0.0",
"prettier": "2.5.1"
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"ethereumjs-tx": "2.1.2",
"ts-node": "9.1.1",
"web3": "1.7.0",
"socket.io": "4.4.1"
"socket.io": "4.5.4"
},
"devDependencies": {
"typescript": "3.9.10"
Expand Down
2 changes: 1 addition & 1 deletion examples/test-run-transaction/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
"log4js": "6.4.0",
"morgan": "1.9.1",
"shelljs": "0.8.5",
"socket.io": "4.4.1",
"socket.io": "4.5.4",
"ts-node": "8.9.1",
"web3": "1.7.0",
"xmlhttprequest": "1.8.0"
Expand Down
4 changes: 2 additions & 2 deletions extensions/cactus-plugin-htlc-coordinator-besu/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -69,14 +69,14 @@
"joi": "14.3.1",
"openapi-types": "7.0.1",
"prom-client": "13.1.0",
"socket.io-client": "4.1.3",
"socket.io-client": "4.5.4",
"typescript-optional": "2.0.1"
},
"devDependencies": {
"@hyperledger/cactus-plugin-keychain-memory": "2.0.0-alpha.1",
"@hyperledger/cactus-test-tooling": "2.0.0-alpha.1",
"@types/express": "4.17.8",
"socket.io": "4.4.1"
"socket.io": "4.5.4"
},
"engines": {
"node": ">=10",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,6 @@
"private": true,
"dependencies": {
"jsonwebtoken": "8.5.1",
"socket.io-client": "4.1.3"
"socket.io-client": "4.5.4"
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@
"dependencies": {
"json-bigint": "1.0.0",
"jsonwebtoken": "8.5.1",
"socket.io-client": "4.1.3"
"socket.io-client": "4.5.4"
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -196,9 +196,7 @@ export class SocketIOApiClient implements ISocketApiClient<SocketLedgerEvent> {
args: any,
): Promise<any> {
let timeout: ReturnType<typeof setTimeout> | undefined;
// `Function` is used by socketio `socket.off()` method
// eslint-disable-next-line @typescript-eslint/ban-types
const freeableListeners = new Map<string, Function>();
const freeableListeners = new Map<string, (...args: any[]) => void>();

return new Promise((resolve, reject) => {
this.log.debug("call : sendSyncRequest");
Expand Down Expand Up @@ -333,9 +331,7 @@ export class SocketIOApiClient implements ISocketApiClient<SocketLedgerEvent> {
} else {
this.log.debug("Create new observable subject...");

// `Function` is used by socketio `socket.off()` method
// eslint-disable-next-line @typescript-eslint/ban-types
const freeableListeners = new Map<string, Function>();
const freeableListeners = new Map<string, (...args: any[]) => void>();
const freeListeners = () =>
freeableListeners.forEach((listener, eventName) =>
this.socket.off(eventName, listener),
Expand Down
6 changes: 3 additions & 3 deletions packages/cactus-cmd-api-server/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -86,8 +86,8 @@
"run-time-error": "1.4.0",
"rxjs": "7.8.1",
"semver": "7.5.2",
"socket.io": "4.4.1",
"socket.io-client": "4.4.1",
"socket.io": "4.5.4",
"socket.io-client": "4.5.4",
"typescript-optional": "2.0.1",
"uuid": "8.3.2"
},
Expand All @@ -110,7 +110,7 @@
"@types/semver": "7.3.8",
"@types/uuid": "8.3.1",
"@types/xml2js": "0.4.9",
"artillery": "1.7.2",
"artillery": "1.7.9",
"http-status-codes": "2.1.4"
},
"engines": {
Expand Down
4 changes: 2 additions & 2 deletions packages/cactus-cmd-socketio-server/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,8 @@
"log4js": "6.4.1",
"morgan": "1.10.0",
"shelljs": "0.8.5",
"socket.io": "4.4.1",
"socket.io-client": "4.1.3",
"socket.io": "4.5.4",
"socket.io-client": "4.5.4",
"web3": "1.6.0",
"xmlhttprequest": "1.8.0"
},
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-core-api/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@
"@types/express": "4.17.13",
"make-dir-cli": "3.0.0",
"rxjs": "7.8.1",
"socket.io": "4.4.1",
"socket.io": "4.5.4",
"typescript-optional": "2.0.1"
}
}
4 changes: 2 additions & 2 deletions packages/cactus-plugin-ledger-connector-besu/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@
"prom-client": "13.2.0",
"run-time-error": "1.4.0",
"rxjs": "7.8.1",
"socket.io-client": "4.1.3",
"socket.io-client": "4.5.4",
"typescript-optional": "2.0.1",
"web3": "1.5.2",
"web3-core": "1.5.2",
Expand All @@ -76,7 +76,7 @@
"@hyperledger/cactus-plugin-keychain-memory": "2.0.0-alpha.1",
"@hyperledger/cactus-test-tooling": "2.0.0-alpha.1",
"@types/express": "4.17.13",
"socket.io": "4.4.1",
"socket.io": "4.5.4",
"web3-core": "1.5.2",
"web3-eth": "1.5.2"
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@
"protobufjs": "5.0.3",
"serve-favicon": "2.4.5",
"shelljs": "0.8.5",
"socket.io": "4.4.1"
"socket.io": "4.5.4"
},
"devDependencies": {
"@hyperledger/cactus-api-client": "2.0.0-alpha.1",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
"dependencies": {
"@types/node": "14.18.12",
"config": "1.31.0",
"socket.io-client": "4.1.3",
"socket.io-client": "4.5.4",
"ts-node": "9.1.1",
"fabric-ca-client": "2.2.10",
"fabric-network": "2.2.10",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
"morgan": "1.10.0",
"serve-favicon": "2.4.5",
"shelljs": "0.8.5",
"socket.io": "4.4.1",
"socket.io": "4.5.4",
"web3": "1.8.1"
},
"devDependencies": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"ethereumjs-tx": "2.1.2",
"ts-node": "9.1.1",
"web3": "1.7.0",
"socket.io-client": "4.1.3"
"socket.io-client": "4.5.4"
},
"devDependencies": {
"typescript": "3.9.10"
Expand Down
4 changes: 2 additions & 2 deletions packages/cactus-plugin-ledger-connector-iroha2/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@
"body-parser": "1.19.0",
"jest": "28.1.0",
"jest-extended": "2.0.0",
"socket.io": "4.4.1",
"socket.io": "4.5.4",
"uuid": "8.3.2"
},
"engines": {
Expand All @@ -77,4 +77,4 @@
"publishConfig": {
"access": "public"
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
"morgan": "1.10.0",
"serve-favicon": "2.4.5",
"shelljs": "0.8.5",
"socket.io": "4.4.1",
"socket.io": "4.5.4",
"xmlhttprequest": "1.8.0"
},
"devDependencies": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,10 @@
"morgan": "1.10.0",
"serve-favicon": "2.4.5",
"shelljs": "0.8.5",
"socket.io": "4.4.1",
"socket.io": "4.5.4",
"xmlhttprequest": "1.8.0"
},
"devDependencies": {
"@types/config": "0.0.41"
}
}
}
2 changes: 1 addition & 1 deletion packages/cactus-plugin-odap-hermes/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@
"crypto-js": "4.0.0",
"knex": "2.4.0",
"secp256k1": "4.0.2",
"socket.io": "4.4.1",
"socket.io": "4.5.4",
"sqlite3": "5.1.5",
"typescript-optional": "2.0.1",
"web3": "1.5.2",
Expand Down
Loading

0 comments on commit b68a5d6

Please sign in to comment.