Comments (1)
Hi @opravil-jan
we've already checked and discussed internally this vuln, here is the observations we got from the review:
- The min supported node is v10 for semver@7. Currently the only "fixed" version of semver is v7.5.2.
- node-semver doesn't have maintenance branches currently for doing updated v6 or v5 releases. There is a user request on the public node-semver pull above about getting fixed releases of semver@5 (and/or presumably semver@6).
- elastic/apm-agent-nodejs is currently using semver@6 and cannot use semver@7 because it supports back to node v8.6.0.
The vuln is when untrusted input is given to semver.Range, also indirectly used by semver.satisfies(ver, range). - From the PR fixing the issue, it looks like they guard against version strings provided as well, so any new semver.SemVer(verString) usage as well -- which is basically all semver API usage. However, the latest semver@5, semver@6, and semver@7 all have a guard on the max version string being less than 256 chars. My guess is this is why the vuln description is limited to input to new Range.
- While apm-agent-nodejs' runtime code (everything under "lib/...") uses semver.satisfies() heavily, every usage uses a hardcoded static string for the range argument. I.e. there is no untrusted user input involved.
Our conclusion was: apm-agent-nodejs.git (and the apm-nodejs-http-client.git it uses) are not affected by this issue. Also note that we expect to drop support for older node versions such that we can upgrade to the latest semver@7.
It looks like very recently (3 days ago) they started the a backport to v6. If is finally done we will upgrade to include the fix although the agent is not affected.
Cheers
from apm-nodejs-http-client.
Related Issues (20)
- Node 11 support HOT 2
- TypeError: Cannot convert undefined or null to object HOT 2
- Cannot get this to send out spans HOT 2
- Non-standard indentation and undefined catch scope HOT 6
- Indentation with EsLint and Prettier HOT 2
- Need to increment git ignore configuration HOT 5
- test failure with node v15.5.0 HOT 1
- Kibana Instrumentation and `APM Server transport error (ECONNRESET): socket hang up` Log Messages HOT 14
- perf: Alternate Options to Initial Stream Corking
- Feature Request: Logging in the Client HOT 1
- Flush seems to complete before request is sent HOT 5
- Blocking Behavior under Benchmarking Load HOT 11
- consider changing payloadLogFile handling to *not* unzip the payload data HOT 1
- 'npm run coverage' errors; breaks checks for node v15 HOT 1
- `client.flush(cb)` callback may not be called in v9.7.0 HOT 1
- Client Behavior in AWS Lambda Enviornment
- CI implementations (in GitHub actions and Jenkinis) duplicate the number of builds per PR HOT 2
- Audit failure due to a vulnerability in semver HOT 1
- Throws error `Cannot read property 'length' of undefined` on StreamChopper.Writable.write() HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from apm-nodejs-http-client.