gulp-webserver@0.9.1

Vulnerabilities

5 via 6 paths

Dependencies

142

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
  • 4
Status
  • 5
  • 0
  • 0

critical severity

Arbitrary Code Injection

  • Vulnerable module: open
  • Introduced through: open@0.0.5

Detailed paths

  • Introduced through: gulp-webserver@0.9.1 open@0.0.5
    Remediation: Upgrade to open@6.0.0.

Overview

open is a cross platform package that opens stuff like URLs, files, executables.

Affected versions of this package are vulnerable to Arbitrary Code Injection when unsanitized user input is passed in.

The package does come with the following warning in the readme:

The same care should be taken when calling open as if you were calling child_process.exec directly. If it is an executable it will run in a new shell.

The package open is replacing the opn package, which is now deprecated. The older versions of open are vulnerable.

Note: Upgrading open to the last version will prevent this vulnerability but is also likely to have unwanted effects since it now has a very different API.

Remediation

Upgrade open to version 6.0.0 or higher.

References

high severity

Command Injection

  • Vulnerable module: lodash.template
  • Introduced through: gulp-util@2.2.20

Detailed paths

  • Introduced through: gulp-webserver@0.9.1 gulp-util@2.2.20 lodash.template@2.4.1

Overview

lodash.template is a The Lodash method _.template exported as a Node.js module.

Affected versions of this package are vulnerable to Command Injection via template.

PoC

var _ = require('lodash');

_.template('', { variable: '){console.log(process.env)}; with(obj' })()

Remediation

There is no fixed version for lodash.template.

References

high severity

Arbitrary Command Injection

  • Vulnerable module: open
  • Introduced through: open@0.0.5

Detailed paths

  • Introduced through: gulp-webserver@0.9.1 open@0.0.5
    Remediation: Upgrade to open@6.0.0.

Overview

open is a cross platform package that opens stuff like URLs, files, executables.

Affected versions of this package are vulnerable to Arbitrary Command Injection. Urls are not properly escaped before concatenating them into the command that is opened using exec().

Note: Upgrading open to the last version will prevent this vulnerability but is also likely to have unwanted effects since it now has a very different API.

Remediation

Upgrade open to version 6.0.0 or higher.

References

high severity

Prototype Override Protection Bypass

  • Vulnerable module: qs
  • Introduced through: tiny-lr@0.1.4

Detailed paths

  • Introduced through: gulp-webserver@0.9.1 tiny-lr@0.1.4 body-parser@1.8.4 qs@2.2.4
    Remediation: Upgrade to tiny-lr@1.0.0.
  • Introduced through: gulp-webserver@0.9.1 tiny-lr@0.1.4 qs@2.2.5
    Remediation: Upgrade to tiny-lr@1.0.0.

Overview

qs is a querystring parser that supports nesting and arrays, with a depth limit.

Affected versions of this package are vulnerable to Prototype Override Protection Bypass. By default qs protects against attacks that attempt to overwrite an object's existing prototype properties, such as toString(), hasOwnProperty(),etc.

From qs documentation:

By default parameters that would overwrite properties on the object prototype are ignored, if you wish to keep the data from those fields either use plainObjects as mentioned above, or set allowPrototypes to true which will allow user input to overwrite those properties. WARNING It is generally a bad idea to enable this option as it can cause problems when attempting to use the properties that have been overwritten. Always be careful with this option.

Overwriting these properties can impact application logic, potentially allowing attackers to work around security controls, modify data, make the application unstable and more.

In versions of the package affected by this vulnerability, it is possible to circumvent this protection and overwrite prototype properties and functions by prefixing the name of the parameter with [ or ]. e.g. qs.parse("]=toString") will return {toString = true}, as a result, calling toString() on the object will throw an exception.

Example:

qs.parse('toString=foo', { allowPrototypes: false })
// {}

qs.parse("]=toString", { allowPrototypes: false })
// {toString = true} <== prototype overwritten

For more information, you can check out our blog.

Disclosure Timeline

  • February 13th, 2017 - Reported the issue to package owner.
  • February 13th, 2017 - Issue acknowledged by package owner.
  • February 16th, 2017 - Partial fix released in versions 6.0.3, 6.1.1, 6.2.2, 6.3.1.
  • March 6th, 2017 - Final fix released in versions 6.4.0,6.3.2, 6.2.3, 6.1.2 and 6.0.4

    Remediation

    Upgrade qs to version 6.0.4, 6.1.2, 6.2.3, 6.3.2 or higher.

    References

  • GitHub Commit
  • GitHub Issue

high severity

Denial of Service (DoS)

  • Vulnerable module: trim-newlines
  • Introduced through: gulp-util@2.2.20

Detailed paths

  • Introduced through: gulp-webserver@0.9.1 gulp-util@2.2.20 dateformat@1.0.12 meow@3.7.0 trim-newlines@1.0.0
    Remediation: Upgrade to gulp-util@3.0.8.

Overview

trim-newlines is a Trim newlines from the start and/or end of a string

Affected versions of this package are vulnerable to Denial of Service (DoS) via the end() method.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade trim-newlines to version 3.0.1, 4.0.1 or higher.

References