Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerabilities in dependencies in request and https-proxy-agent #4402

Closed
xyzhezac opened this issue Mar 9, 2022 · 1 comment · Fixed by #4613
Closed

Security vulnerabilities in dependencies in request and https-proxy-agent #4402

xyzhezac opened this issue Mar 9, 2022 · 1 comment · Fixed by #4613
Assignees
@kneth
Labels
O-Community T-Bug

Comments

@xyzhezac
Copy link

xyzhezac commented Mar 9, 2022
edited by sync-by-unito bot
Loading

How frequently does the bug occur?

All the time

Description

npm dependencies request and https-proxy-agent have security vulnerabilities. Are there any plans to update the dependency to a version that does not have vulnerability or to change the dependency to an alternative one?

We are using realm as a local mobile database only on react native. Could you also advise if the security vulnerabilities are relevant in the context of a local mobile database?

request

Vulnerability: sonatype-2017-0655
CVSS Score: 5.9
Component: request : 2.88.2
Fix Available: No recommended versions are available for the current component

The request package is vulnerable to Weak Authentication Algorithm. The OAuth.prototype.buildBodyHash function in oauth.js uses SHA-1 for authentication which is no longer considered cryptographically secure. With enough resources an attacker might be able to crack the authentication mechanism and cause security attacks.

https-proxy-agent

Vulnerability: sonatype-2019-0419
CVSS Score: 5.9
Component: https-proxy-agent : 2.2.4
Fix Available: https-proxy-agent : 3.0.0

The https-proxy-agent package is vulnerable to Man-in-the-Middle. The ondata and onsocket functions in index.js does not upgrade TLS connections like it normally does when connecting to a proxy that doesn't return a 200 response to the initial CONNECT request. Consequently, a MitM listening to this could potentially view sensitive data that would have otherwise been hidden by TLS.

Stacktrace & log output

No response

Can you reproduce the bug?

Yes, always

Reproduction Steps

Run vulnerability scan (Nexus IQ) to produce the following vulnerabilities:
sonatype-2017-0655
sonatype-2019-0419

Version

10.13.0

What SDK flavour are you using?

Local Database only

Are you using encryption?

Yes, using encryption

Platform OS and version(s)

React Native

Build environment

Which debugger for React Native: ..

Cocoapods version

No response
@xyzhezac xyzhezac added the T-Bug label Mar 9, 2022
@kneth
Copy link
Contributor

kneth commented Mar 9, 2022

Thank you for reporting.

I believe that https-proxy-agent is only used by https://github.com/realm/realm-js/blob/master/scripts/download-realm.js - which to my best knowledge isn't used anymore.

I leave the issue open to help us track cleaning up old scripts.

@kneth kneth mentioned this issue Jun 2, 2022
Merged
1 task
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@kneth kneth

Labels
O-Community T-Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Cleaning up: Remove old, unused scripts realm/realm-js
2 participants
@kneth @xyzhezac