Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Crash in HeaderParser in dicer - git hub security alert #30

Closed
pravichandran15 opened this issue May 26, 2022 · 14 comments
Closed

Crash in HeaderParser in dicer - git hub security alert #30

pravichandran15 opened this issue May 26, 2022 · 14 comments

Comments

@pravichandran15
Copy link

Please find the link below for the git hub security alert.

GHSA-wm7h-9275-46v2

@jitbasemartin
Copy link

It seems it will be not fixed in dicer: #22
If like me the vulnerability come from multer, a fix is on going: expressjs/multer#1097

@deepaljain
Copy link

In our case the vulnerability is coming from firebase-admin. Is there any fix available?

@kbocock-krg
Copy link

Need fix for this so Nestjs can be patched. Is there an eta?

@jitbasemartin
Copy link

This PR should fix NestJS: nestjs/nest#9686

@mgav
Copy link

mgav commented Jun 3, 2022

Duplicate of my post on the same issue, elsewhere:

Preamble: I am a novice and this is not advice on what you should do - I'm just relaying what I did and what the outcome was.

After deploying my Vuejs3 app a week ago to Firebase, I was prompted to upgrade to the newest version of Firebase Tools (11.0.1) via npm. After doing this, I began experiencing the problem detailed in my comment above.

Having no other solutions on the table, I decided to uninstall firebase tools (npm uninstall -g firebase-tools) and then reinstall the previous version (npm install -g [email protected]).

BUT, after first time I did this, I ran npm audit fix (not npm audit fix --force) and all I got a ton of high severity warnings and problems.

So I decided to once again uninstall firebase tools (npm uninstall -g firebase-tools) and then reinstall the previous version (npm install -g [email protected]) and that's it (did NOT run npm audit fix).

I proceeded to npm run build and firebase deploy --only hosting and it worked just fine. Definitely NOT a great or long-term solution. Good luck!

@Lucas-Angelo
Copy link

In our case the vulnerability is coming from firebase-admin. Is there any fix available?

Me too

@pavleprica
Copy link

pavleprica commented Jun 6, 2022

Solution that worked for me was to add:
(In our case it's nest)

"overrides": {
    "@nestjs/platform-express": {
      "multer": "1.4.4-lts.1"
    }
  },

to package.json.
Though, it comes with a requirement of a minimum of npm 8.3.0. So we added that to the package.json as well. Also, please do delete package-lock.json and node_modules beforehand.

More on overrides

@lorand-horvath
Copy link

lorand-horvath commented Jun 8, 2022

I have a dep chain apollo-server-express > apollo-server-core > @apollographql/graphql-upload-8-fork > busboy > dicer throwing this High severity vulnerability for dicer 0.3.0 (fixed dependency version in busboy 0.3.1, unfortunately).
Is there an estimated date for fixing this?

@RikuRuokonen
Copy link

I have dep chain that throws this: "graphql-upload": "11.0.0" --> busboy "^0.3.1" --> dicer "0.3.0"

Any update on this?

@mscdex
Copy link
Owner

mscdex commented Jun 20, 2022

@RikuRuokonen Lodge an issue with the graphql-upload project owners to update their busboy dependency.

@lorand-horvath
Copy link

lorand-horvath commented Jun 20, 2022

@mscdex Well, I have raised an issue with apollo-server asking them to fix the busboy 0.3.1 dep vulnerability in Apollo Server 2.x apollographql/apollo-server#6590
The reply was to update to 3.x Please upgrade to AS3. AS4 is close to ready! AS2 ships with hardcoded integrations with many pieces of outdated and unmaintained software.
which I cannot personally do because it's in fact a dependency of @vue/cli - I posted an issue there as well and haven't got any response yet vuejs/vue-cli#7198
So I'm running in circles, I guess...

@RikuRuokonen You cannot open an issue with graphql-upload in this repo https://github.com/apollographql/graphql-upload because the function is disabled.
Unless we are talking about the original repo https://github.com/jaydenseric/graphql-upload

ghandmann added a commit to ghandmann/HS-AlbSig-WebAnwendungen2 that referenced this issue Jun 21, 2022
@gerson-ribeiro
Copy link

Solution that worked for me was to add: (In our case it's nest)

"overrides": {
    "@nestjs/platform-express": {
      "multer": "1.4.4-lts.1"
    }
  },

to package.json. Though, it comes with a requirement of a minimum of npm 8.3.0. So we added that to the package.json as well. Also, please do delete package-lock.json and node_modules beforehand.

More on overrides

It works for me too, thanks!

@widget-
Copy link

widget- commented Feb 5, 2024

I have dep chain that throws this: "graphql-upload": "11.0.0" --> busboy "^0.3.1" --> dicer "0.3.0"

Any update on this?

I've been able to bypass it by replacing with a maintained busboy fork:

  "resolutions": {
    "busboy": "npm:@fastify/busboy@^2.1.0"
  }

This is for yarn. I believe that with npm you may have to replace "resolutions": with "overrides":.

It seems I may have just done this wrong then, since I had thought I had updated busboy.

@mscdex
Copy link
Owner

mscdex commented Feb 5, 2024

@widget- The official busboy package is maintained. It however no longer uses dicer, so upgrading the copy of busboy is sufficient to resolve this particular issue.

Closing this as most upstream packages are indirectly using dicer via an old, unsupported version of busboy and upgrading busboy will resolve the problem.

@mscdex mscdex closed this as completed Feb 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests