Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🔥NPM audit reports Denial of Service vulnerability #7

Closed
Dangoo opened this issue May 13, 2019 · 10 comments
Closed

🔥NPM audit reports Denial of Service vulnerability #7

Dangoo opened this issue May 13, 2019 · 10 comments

Comments

@Dangoo
Copy link

Dangoo commented May 13, 2019

Hi, just wanted to let you know, that of today NPM released an advisory that serialize-to-js is vulnerable to Denial of Service attacks with a high severity.

Severity: high
https://npmjs.com/advisories/790

Would be great if you could look into it and hopefully resolve the vulnerability soon :)
@commenthol
Copy link
Owner

Hi @Dangoo, thanks for letting me know. Unfortunately no one got in touch with me reporting any issue as stated at npm.
Up to the moment I have no clue what the finding is about, how to determine and verify the issue stated, and how to perform that dos attack.
With the nothing I have currently it will be difficult to track things down. Usually I get notified on such topics with some insights.

@commenthol
Copy link
Owner

Mail was sent to support@npmjs.com - hopefully I will get a report on the allegation.

@commenthol
Copy link
Owner

Human errors may happen in human environments.
Albeit the advisory has been withdrawn, the issue is still present, so here the full disclosure.

Deserialization of untrusted data using this package is dangerous. Even though it uses safer-eval to try and sandbox evaluated code, it is vulnerable to DoS by deserializing 'function(){while(true){}}()'.

Minimal viable sample:

const serializeToJs = require('serialize-to-js')
var str = 'function(){while(true){}}()'
var res = serializeToJs.deserialize(str) // will never finish
console.log(res)

As I will not be able to fix the issue I'd propose the following option:

  1. Breaking change: Remove the deserialize method from this package

  2. Put a statement in safer-eval and recommend running the deserialization in a seperate worker thread with time based termination.

Any other ideas?

@Dor-Tumarkin
Copy link

I disclosed this issue via npmjs.com, assuming they will contact the package owner. I guess they didn't... Sorry it turned out this way.

A worker thread with time based termination is probably the best option, though this has to be min-maxed in some way - after all, if the timer is too long an attacker can still throttle their target by creating a ton of worker threads, and if it is too short legitimate work might terminate too early. Maybe create a limit on how many worker threads can be created, and possibly even a queue, to protect against the former. It would still restrict the service, but at least it won't crash or thrash when flooded.

This was referenced May 14, 2019
Merged
Merged
@alexander-akait alexander-akait mentioned this issue May 15, 2019
Closed
@commenthol
Copy link
Owner

v2.0.0 released

https://github.com/commenthol/serialize-to-js/releases/tag/v2.0.0

@luddwichr luddwichr mentioned this issue Jun 5, 2019
Closed
@franciscolourenco
Copy link

Could another option be to serialize functions into a string representation, and not deserialize them? This would be more useful than no deserialization.

@DeMoorJasper DeMoorJasper mentioned this issue Aug 23, 2019
Merged
2 tasks
@salientknight
Copy link

salientknight commented Aug 28, 2019
edited
Loading

At the moment upgrading to >=2.0.0 removes the vulnerability but then installing eslint brings it right back.

Here is my dependency hell:
npm i serialize-to-js>=2.0.0
npm WARN @typescript-eslint/eslint-plugin@1.13.0 requires a peer of eslint@^5.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN @typescript-eslint/parser@1.13.0 requires a peer of eslint@^5.0.0 but none is installed. You must install peer dependencies yourself.

Updating eslint adds the audit warning back for serialize-to-js

@commenthol
Copy link
Owner

Hi @salientknight,
version >=2.0.0 does not contain any longer code which is subject to the advised DoS, therefore the breaking change.
Running npm audit should usually give you the reason for the module being subject to the given advisory.
I recommend in your case:

  1. delete node_modules folder
  2. make a clean npm install
  3. if you don't have a package-lock.json file run npm install --package-lock-only
  4. then run npm audit

@salientknight
Copy link

Running npm audit should usually give you the reason for the module being subject to the given advisory.

yeah I was able to update to version 3 but Parcel seems to using version <2 and claims it's a NPM false report issue. Either way, updating causes a warning that eslint@^5.0.0 is not installed (as noted above).

I have done a new npm i and deleted json and I just seem locked a circle.

@adriaandotcom adriaandotcom mentioned this issue Sep 17, 2019
Closed
@Nyura95 Nyura95 mentioned this issue Sep 20, 2019
Closed
@commenthol
Copy link
Owner

Closing this issue as modules have been separated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@franciscolourenco @Dangoo @commenthol @Dor-Tumarkin @salientknight