Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-29622 (High) detected in formidable-2.0.1.tgz - autoclosed #1593

Closed
mend-for-github.aaakk.us.kg bot opened this issue May 17, 2022 · 8 comments
Assignees
Labels
cve Security vulnerabilities detected by Dependabot or Mend high severity High severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-for-github.aaakk.us.kg
Copy link

mend-for-github.aaakk.us.kg bot commented May 17, 2022

CVE-2022-29622 - High Severity Vulnerability

Vulnerable Library - formidable-2.0.1.tgz

A node.js module for parsing form data, especially file uploads.

Library home page: https://registry.npmjs.org/formidable/-/formidable-2.0.1.tgz

Dependency Hierarchy:

  • supertest-6.2.2.tgz (Root Library)
    • superagent-7.1.2.tgz
      • formidable-2.0.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. NOTE: some third parties dispute this issue because the product has common use cases in which uploading arbitrary files is the desired behavior. Also, there are configuration options in all versions that can change the default behavior of how files are handled.
Mend Note: After conducting further research, Mend has determined that this is a controversial case - Mend security team suggest to refer to it as a risky feature and not as critical vulnerability

Publish Date: 2022-05-16

URL: CVE-2022-29622

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-05-16

Fix Resolution: formidable - 3.2.4

@mend-for-github.aaakk.us.kg mend-for-github.aaakk.us.kg bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label May 17, 2022
@tmarkley tmarkley added medium severity Medium severity CVE cve Security vulnerabilities detected by Dependabot or Mend labels May 20, 2022
@tmarkley
Copy link
Contributor

$ yarn why formidable
yarn why v1.22.18
[1/4] Why do we have the module "formidable"...?
[2/4] Initialising dependency graph...
warning Resolution field "[email protected]" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "[email protected]"
info Reasons this module exists
   - "_project_#supertest#superagent" depends on it
   - Hoisted from "_project_#supertest#superagent#formidable"
info Disk size without dependencies: "148KB"
info Disk size with unique dependencies: "500KB"
info Disk size with transitive dependencies: "1.09MB"
info Number of shared dependencies: 12
Done in 0.91s.

@tmarkley
Copy link
Contributor

$ npm ls formidable
[email protected] /home/ubuntu/ws/OpenSearch-Dashboards
└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected] 

@tmarkley
Copy link
Contributor

This CVE is still undergoing analysis by NVD - it's unclear if Dashboards is impacted.

@mend-for-github.aaakk.us.kg mend-for-github.aaakk.us.kg bot changed the title CVE-2022-29622 (Medium) detected in formidable-2.0.1.tgz CVE-2022-29622 (High) detected in formidable-2.0.1.tgz Jun 2, 2022
joshuarrrr added a commit to joshuarrrr/OpenSearch-Dashboards that referenced this issue Jun 24, 2022
`useExpandedHeade`r instead of `useExpandedMenu`

fixes opensearch-project#1593

Signed-off-by: Josh Romero <[email protected]>
@CCongWang
Copy link
Contributor

$ npm ls formidable
[email protected] /home/ubuntu/github/OpenSearch-Dashboards
└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected] 

@CCongWang
Copy link
Contributor

Currently superagent still uses [email protected] (code), do we need to wait for superagent upgrade formidable? @kavilla

@ananzh
Copy link
Member

ananzh commented Nov 1, 2022

The fix is to bump formidable to v3.2.4+

Currently [email protected] is using [email protected]. The latest superagent is still using formidable:^2.0.1.

Formidable bump to v3.2.4 includes breaking changes: https://github.com/node-formidable/formidable/blob/master/CHANGELOG.md

I think the solution is to resolve it to v3.2.4 but no backport. This CVE should be fixed in 3.0.0 due to breaking changes.

@ananzh ananzh self-assigned this Nov 1, 2022
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Nov 1, 2022
Currently the latest superagent still uses [email protected]
which causes the security issue.
https://github.com/visionmedia/superagent/blob/e8d532632bea846e6a8c7677a268dca3641271e7/package.json#L27

Formidable bump to v3.2.4 includes breaking changes:
https://github.com/node-formidable/formidable/blob/master/CHANGELOG.md

In this PR, we resolve formidable to 3.2.4+. The fix will not be
backported to 2.x.

Issue Resolved:
opensearch-project#1593

Signed-off-by: Anan Zhuang <[email protected]>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Nov 1, 2022
Currently the latest superagent still uses [email protected]
which causes the security issue.
https://github.com/visionmedia/superagent/blob/e8d532632bea846e6a8c7677a268dca3641271e7/package.json#L27

Formidable bump to v3.2.4 includes breaking changes:
https://github.com/node-formidable/formidable/blob/master/CHANGELOG.md

In this PR, we resolve formidable to 3.2.4+. The fix will not be
backported to 2.x.

Issue Resolved:
opensearch-project#1593

Signed-off-by: Anan Zhuang <[email protected]>
@zhongnansu zhongnansu added high severity High severity CVE and removed medium severity Medium severity CVE labels Nov 15, 2022
@zhongnansu
Copy link
Member

zhongnansu commented Nov 16, 2022

Issue:

  • formidable@v2 is reported to have CVE, and they patch the fix in formidable@v3, a major version. But v3 is a ESM module without common JS support. After adding resolution in package.json, our unit test will throw error.
Summary of all failing tests
 FAIL  src/core/server/http/http_server.test.ts
  ● Test suite failed to run

    Jest encountered an unexpected token

    Jest failed to parse a file. This happens e.g. when your code or its dependencies use non-standard JavaScript syntax, or when Jest is not configured to support such syntax.

    Out of the box Jest supports Babel, which will be used to transform your files into valid JS based on your Babel configuration.

    By default "node_modules" folder is ignored by transformers.

    Here's what you can do:
     • If you are trying to use ECMAScript Modules, see https://jestjs.io/docs/ecmascript-modules for how to enable it.
     • If you are trying to use TypeScript, see https://jestjs.io/docs/getting-started#using-typescript
     • To have some of your "node_modules" files transformed, you can specify a custom "transformIgnorePatterns" in your config.
     • If you need a custom transformation specify a "transform" option in your config.
     • If you simply want to mock your non-JS modules (e.g. binary assets) you can stub them out with the "moduleNameMapper" config option.

    You'll find more details and examples of these config options in the docs:
    https://jestjs.io/docs/configuration
    For information about custom transformations, see:
    https://jestjs.io/docs/code-transformation

    Details:

    /__w/OpenSearch-Dashboards/OpenSearch-Dashboards/node_modules/formidable/src/index.js:1
    ({"Object.<anonymous>":function(module,exports,require,__dirname,__filename,jest){import PersistentFile from './PersistentFile.js';
                                                                                      ^^^^^^

    SyntaxError: Cannot use import statement outside a module

      at Runtime.createScriptFromCode (node_modules/jest-runtime/build/index.js:1728:14)
      at Object.<anonymous> (node_modules/superagent/src/node/index.js:17:20)
      at Object.<anonymous> (node_modules/supertest/lib/test.js:11:21)
  • To fix unit tests, we modified jest.config.js to use dynamic import. Unit tests can pass now. But then our functional test(cypress) is throwing another error.
Must use import to load ES Module: /__w/OpenSearch-Dashboards/OpenSearch-Dashboards/node_modules/formidable/src/index.js
require() of ES modules is not supported.

At the meantime I found some other discussion on formidable, and the parent libraries superagent and supertest github repos. Briefly speaking, superagent won't upgrade formidable to v3 to resolve the CVE. Because v3 doesn't support ESM, they insists asking formidable to backport the fix to v2, as well as asking their vulnerability consultant snyk to revoke the CVE(Snyk did).

References

Summary

  • I think we need to reach out to Mend to see if they have plan to revoke the CVE.
  • See if other tricks work to support ESM

cc @ananzh @tmarkley @joshuarrrr @kavilla any thoughts?

@mend-for-github.aaakk.us.kg mend-for-github.aaakk.us.kg bot changed the title CVE-2022-29622 (High) detected in formidable-2.0.1.tgz CVE-2022-29622 (High) detected in formidable-2.0.1.tgz - autoclosed Nov 30, 2022
@mend-for-github.aaakk.us.kg
Copy link
Author

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cve Security vulnerabilities detected by Dependabot or Mend high severity High severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Development

No branches or pull requests

4 participants