Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Formidable CVE #4

Closed
mikeTWC1984 opened this issue Apr 23, 2024 · 12 comments
Closed

Formidable CVE #4

mikeTWC1984 opened this issue Apr 23, 2024 · 12 comments

Comments

@mikeTWC1984
Copy link

npm is now yelling about some critical vuln of formidable. I see this repo is using 2.x. Did you try 3.x yet? The other option is to downgrade.

@mikeTWC1984
Copy link
Author

At a glance, seemed to be safe to upgrade to 3.x.
https://github.com/node-formidable/formidable/blob/master/VERSION_NOTES.md

@jhuckaby
Copy link
Owner

How weird, Snyk doesn't show anything. Is this a brand new vuln or something?

Image

Formidable v3 is a complete ground-up rewrite. There are bound to be issues. What is the vuln anyway? Is there a link to it? How severe is it?

@jhuckaby
Copy link
Owner

If this is a brand new vuln, I'd like to give the Formidable people some time to address it before taking any drastic actions. They still support v2 currently.

v3 has some nasty open issues, for e.g. node-formidable/formidable#958

@mikeTWC1984
Copy link
Author

I get it during "npm install"
image

GHSA-8cp3-66vr-3r4c

@jhuckaby
Copy link
Owner

jhuckaby commented Apr 23, 2024

This vuln is over 2 years old. Why is it suddenly popping up for you now? Do you have a strange package-lock.json file that is downgrading things?

I cannot make heads or tails of this. Here's a whole thread on it, linked from the GHSA issue you pasted:

node-formidable/formidable#856

@jhuckaby
Copy link
Owner

Awesome article defending the security of Formidable: https://gitlab.com/keymandll/blog/-/blob/master/posts/03062022-Invulnerability_Analysis-CVE-2022%E2%80%9329622/index.md

I think this vuln is garbage, personally. Plus, I NEVER allow uploaded files to be named via their CLIENT filenames. That is just asking for trouble. I always generate my own unique filenames across all my apps.

@jhuckaby
Copy link
Owner

I just forced Snyk to re-test the repo. It still can't find any vulns. I am flummoxed!

Screenshot 2024-04-22 at 7 44 02 PM

@mikeTWC1984
Copy link
Author

Nah, just pop-up today during install. Not sure why, maybe it was added to npm db just now.
Ok, so based on that discussion the high score likely is a bit of exaggeration, and we don't do much file upload in cronicle anyway, I guess we can stick with current version then.
Are you still planning to use server-web for V2 cronicle btw?

@jhuckaby
Copy link
Owner

Yeah, I'm going to wait and see what happens. It's very odd that NPM is suddenly reporting a 2-year-old vulnerability, and that Snyk can't even see it.

Are you still planning to use server-web for V2 cronicle btw?

Yup!

Someday I may upgrade to Formidable v3, but I have SO many apps using pixl-server-web that it would be a huge deal to swap out a supporting library like that.

One thing is that I expose the underlying Formidable uploaded file objects to apps using pixl-server-web, so they are relying on the exact API and structure of those objects. I'd have to make sure that v3 does everything EXACTLY the same way as v2, or maybe build some kind of translation layer. It would take a lot of testing. I do have unit tests, but they don't cover Formidable.

@jhuckaby
Copy link
Owner

Ah, the dependabot PR just arrived: #5

I'll start taking a closer look at this soon.

@mikeTWC1984
Copy link
Author

Yeah, looks like they updated their CVE DB indeed, I also got some bot opened issue on github today. I guess we can give a try to 3.x. I'll try test it on my end

@jhuckaby
Copy link
Owner

Fixed in v1.3.30. They did break the API in formidable v3, alas. Everything appears to be wrapped in an array now. I have to intercept it and convert things back to v1 style.

I added unit tests to make sure it's all working exactly the same as formidable v2. I'll bump Cronicle with this release in a few minutes.

Thanks for bringing this to my attention!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants