Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

5.0.2 is throwing high severity security; audit fix wants to downgrade to 4.2.0 #1483

Closed
StoneCypher opened this issue Aug 3, 2021 · 16 comments
Assignees

Comments

@StoneCypher
Copy link

StoneCypher commented Aug 3, 2021

5.0.2 is throwing high severity security. The underlying problem appears to be node-gyp.

Audit fix wants to downgrade to 4.2.0

Development machine is Windows 10 Pro running Git Bash

$ npm audit
# npm audit report

tar  <=3.2.2 || 4.0.0 - 4.4.14 || 5.0.0 - 5.0.6 || 6.0.0 - 6.1.1
Severity: high
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://npmjs.com/advisories/1770
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://npmjs.com/advisories/1771
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/tar
  node-gyp  <=3.8.0
  Depends on vulnerable versions of tar
  node_modules/node-gyp
    sqlite3  >=5.0.0
    Depends on vulnerable versions of node-gyp
    node_modules/sqlite3

3 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

image

@rwky
Copy link

rwky commented Aug 4, 2021

I've tested the master branch and this isn't a problem there, the master branch build is failing but that looks to be a missing python depencency in the CI env. The diff between master and 5.0.2 is minimal so if the CI could be fixed it should straight forward to cut a new release.

@dearzubi
Copy link

dearzubi commented Aug 7, 2021

Is anyone working on this?

@bennycode
Copy link

I am using sqlite3 v5.0.2 which defines node-gyp v3.x as peer dependency. Unfortunately, node-gyp 3.x (3.8.0) is currently 302 commits behind the latest node-gyp and uses the vulnerable dependency tar v2.2.2: GHSA-3jfq-g458-7qm9

I can see that the "master" branch of "node-sqlite3" already uses node-gyp v7.x. @kewde Can you please create a release for it?

@createthis
Copy link

@kewde Is the failure in master a temporary network error? https://ci.appveyor.com/project/Mapbox/node-sqlite3/builds/38143237/job/mwmk1n45rrd3s8gi

Can someone re-run the CI test suite to see if it was a temporary failure?

What is preventing the tagging of a new release?

@louislam
Copy link

louislam commented Aug 10, 2021

I published my fork on npm which is using the latest source code of this repo.
https://github.com/louislam/node-sqlite3

npm install @louislam/sqlite3
npm remove sqlite3
// Replace require('sqlite') in source code
require('@louislam/sqlite')

You can use this as a temporary fix. Switch back to mapbox/node-sqlite3 once it got fixed.

@jan-swiecki
Copy link

Workaround:

npm install [email protected]:mapbox/node-sqlite3.git

@createthis
Copy link

createthis commented Aug 10, 2021

Workaround:

npm install [email protected]:mapbox/node-sqlite3.git

Even better, tag the commit so that it can't change when someone merges a PR:

npm install git+https://github.com/mapbox/node-sqlite3.git#593c9d

@kewde kewde self-assigned this Aug 12, 2021
@kewde
Copy link
Collaborator

kewde commented Aug 12, 2021

Hi,

I will take a look at this ASAP.

@NehaNaithani
Copy link

Hi ,

I am also getting high vulnerability issue in 5.2.0 and npm audit fix downgrade the package to 4.2.0


│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Creation/Overwrite due to insufficient        │
│               │ absolute path sanitization                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.2.2 <4.0.0 || >=4.4.14  <5.0.0 || >=5.0.6 <6.0.0 ||      │
│               │ >=6.1.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sqlite3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sqlite3 > node-gyp > tar                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1770                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Creation/Overwrite via insufficient symlink   │
│               │ protection due to directory cache poisoning                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.2.3 <4.0.0 || >=4.4.15  <5.0.0 || >=5.0.7 <6.0.0 ||      │
│               │ >=6.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sqlite3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sqlite3 > node-gyp > tar                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1771                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Thanks

@ijavid
Copy link

ijavid commented Aug 27, 2021

@kewde Any news on this?

brendannee added a commit to BlinkTagInc/node-gtfs that referenced this issue Sep 13, 2021
- pinned sqlite3 version to solve security issue: TryGhost/node-sqlite3#1483
robinWongM added a commit to robinWongM-archives/fast-ddns-server that referenced this issue Sep 23, 2021
@ghost
Copy link

ghost commented Sep 26, 2021

Almost 1 month later, I know things take time, is there any news on this?

@josep11
Copy link

josep11 commented Sep 28, 2021

I published my fork on npm which is using the latest source code of this repo. https://github.com/louislam/node-sqlite3

npm install @louislam/sqlite3
npm remove sqlite3
// Replace require('sqlite') in source code
require('@louislam/sqlite')

You can use this as a temporary fix. Switch back to mapbox/node-sqlite3 once it got fixed.

For the workaround, I got 'Not found' from npm on trying to install with: npm i @louislam/sqlite

@puja-saraswat
Copy link

Hi Team,
Is there any update for this issue? We are waiting for the solution to resolve the CVE-2021-32804 vulnerability

@platrofa
Copy link

Hi,
is there any new release planned to solve the node-gyp vulnerability?

@grenik
Copy link

grenik commented Nov 29, 2021

Looks like there is a solution in #1493 (comment)

@daniellockyer
Copy link
Member

I believe this should be fixed in v5.0.3 🙂

~/code/node-sqlite3 λ git describe --tags
v5.0.3
~/code/node-sqlite3 λ yarn audit
yarn audit v1.22.15
0 vulnerabilities found - Packages audited: 335
✨  Done in 0.49s.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests