Security issues with dependencies normalize-url and ws

[creativityjuice]

Hi there,

There is 2 security issues with your package that impact our API. Could fix these security issues please :

✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://snyk.io/vuln/SNYK-JS-NORMALIZEURL-1296539] in normalize-url@4.5.0
introduced by node-crisp-api@1.12.2 > got@9.6.0 > cacheable-request@6.1.0 > normalize-url@4.5.0
This issue was fixed in versions: 6.0.1, 5.3.1, 4.5.1

✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://snyk.io/vuln/SNYK-JS-WS-1296835] in ws@7.4.5
introduced by node-crisp-api@1.12.2 > socket.io-client@2.4.0 > engine.io-client@3.5.2 > ws@7.4.5
This issue was fixed in versions: 7.4.6, 6.2.2, 5.2.3

Cheers,

[baptistejamin]

No worries, even if the bot reports this dependencies, you don't be impacted directly to this, because it only affects the server (our own servers), and those are already patched

[creativityjuice]

Hi,

I'm back with my security issues on your package. Could you fix these issues please :

✗ Open Redirect [Medium Severity][https://snyk.io/vuln/SNYK-JS-GOT-2932019] in got@9.6.0
introduced by crisp-api@6.3.0 > got@9.6.0
This issue was fixed in versions: 11.8.5, 12.1.0

✗ Information Exposure [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODEFETCH-2342118] in node-fetch@2.6.1
introduced by crisp-api@6.3.0 > fbemitter@3.0.0 > fbjs@3.0.2 > cross-fetch@3.1.4 > node-fetch@2.6.1
This issue was fixed in versions: 2.6.7, 3.1.1

For information, got@9.6.0 is a release from Jan 2019, so it is maybe time to upgrade even if there is no direct threat for my application.

Cheers,

[eliottvincent]

Hey! I'll take a look at those over the week-end :)

[creativityjuice]

Hey,

Any news ?

[baptistejamin]

As explained above, there is absolutely no risk for both:

1. normalize-url@4.5.0 is a ReDOS issue affects data: URLs. As this is a REST API client, there is absolutely no data: involved.
2. ws@7.4.5 can only affect websocket servers. Here it is a WebSocket client.

You can be relax with this. We will likely update in the future those packages

[creativityjuice]

Thanks for your reply. These packages are ok now, I reopened this issue for other packages 25 days ago.

Hi,

I'm back with my security issues on your package. Could you fix these issues please :

✗ Open Redirect [Medium Severity][https://snyk.io/vuln/SNYK-JS-GOT-2932019] in got@9.6.0 introduced by crisp-api@6.3.0 > got@9.6.0 This issue was fixed in versions: 11.8.5, 12.1.0

✗ Information Exposure [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODEFETCH-2342118] in node-fetch@2.6.1 introduced by crisp-api@6.3.0 > fbemitter@3.0.0 > fbjs@3.0.2 > cross-fetch@3.1.4 > node-fetch@2.6.1 This issue was fixed in versions: 2.6.7, 3.1.1

For information, got@9.6.0 is a release from Jan 2019, so it is maybe time to upgrade even if there is no direct threat for my application.

Cheers,

[eliottvincent]

Hey @creativityjuice ! I've just released v6.3.1 which contains the necessary dependencies upgrades.

[creativityjuice]

Hi @eliottvincent,

We have an issue since your last release (6.3.1) with crisp_client.website.createNewConversation.
Here is the error returned :
{"reason":"error","message":"internal_error","code":500,"data":{"namespace":"request","message":"Got request error: RequestError"}}

It looks like GOT update introduced a bug.
Here is the code I use:

const { session_id } = await crisp_client.website.createNewConversation(crisp_config.website_id);

[eliottvincent]

Hey! Can you try using the v6.3.2? There was a bug in the v6.3.1 indeed, as Got changed the way they handle errors, and this wasn't documented in their migration procedure.

[creativityjuice]

Thanks for your fast reply. Indeed it works with the new release. I should have tried that first ;)

[eliottvincent]

Perfect!

[creativityjuice]

Hi there,

There is a new critical security issue on your package. It's related to socket.io and there is a fixed version. I know that it's just a proof of concept, but could you update your package please:

✗ Improper Input Validation [Critical Severity][https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-3091012] in socket.io-parser@4.1.2
    introduced by crisp-api@7.0.0 > socket.io-client@4.4.1 > socket.io-parser@4.1.2
  This issue was fixed in versions: 3.3.3, 3.4.2, 4.0.5, 4.2.1

Thanks a lot,

[valeriansaliou]

socket.io-client has no updated package as of now, we'll wait for an update to be released on their side:https://github.com/socketio/socket.io-client/commits/main

[creativityjuice]

Hi there,

socket.io-client has now a 4.6.1.
New and old security issues for you :

✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783] in http-cache-semantics@4.1.0
  introduced by crisp-api@7.4.1 > got@11.8.5 > cacheable-request@7.0.2 > http-cache-semantics@4.1.0
This issue was fixed in versions: 4.1.1
✗ Improper Input Validation [Critical Severity][https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-3091012] in socket.io-parser@4.1.2
  introduced by crisp-api@7.4.1 > socket.io-client@4.4.1 > socket.io-parser@4.1.2
This issue was fixed in versions: 3.3.3, 3.4.2, 4.0.5, 4.2.1
✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://snyk.io/vuln/SNYK-JS-UAPARSERJS-3244450] in ua-parser-js@0.7.31
  introduced by crisp-api@7.4.1 > fbemitter@3.0.0 > fbjs@3.0.4 > ua-parser-js@0.7.31
This issue was fixed in versions: 0.7.33, 1.0.33

Could you fix that ?