Update dependencies as [email protected] is vulnerable to Regular Expression Denial of Service (aka ReDOS)

[michaelhidalgo]

As stated in this advisory (https://nodesecurity.io/advisories/118) minimatch <=3.0.1 is vulnerable to RegexDOS, and it seems like that version is one of the dependencies generator-kibana relies at the moment.

You can confirm that by running the following command inside the project containing the plugin

Michaels-MacBook-Pro:plugin michaelhidalgo$ ls
README.md	node_modules	public
index.js	package.json	server

npm ls minimatch

[email protected] /Users/michaelhidalgo/Desktop/elastic/plugin
├─┬ [email protected]
│ └─┬ [email protected]
│   └── [email protected] 
└─┬ [email protected]
  └── [email protected]

So one of the dependencies of babel depends on the version that might be vulnerable.

[w33ble]

Thanks for letting us know. The problem is our use of an outdated version of babel, which is a larger issue unfortunately.

I think that because that vulnerable version of minimatch is limited to babel, the code at runtime is still safe. My guess is that babel uses minimatch for its process, and should not affect the code it outputs, but I haven't dug into it, so I could be wrong.

[michaelhidalgo]

Yes you are right, if you drill down the search using npm, an outdated version of babel is the one who has it as a dependency.

Michaels-MacBook-Pro:plugin michaelhidalgo$ npm ls [email protected]
[email protected] /Users/michaelhidalgo/Desktop/elastic/plugin
└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected] 

I believe the real risk is if someone can trigger the Denial of Service condition from up the dependency chain, that is by using babel, maybe is worth to do a PoC and determine if it is exploitable.

[w33ble]

Now that Kibana is using a newer babel, this package can in fact be updated.

The template is already updated: https://github.com/elastic/template-kibana-plugin/blob/master/template/package.json

[michaelhidalgo]

Cool, I will give it a try and keep you posted.