Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability in dependency growl 1.9.2 #2791

Closed
balsamiqFlorian opened this issue May 8, 2017 · 9 comments
Closed

Vulnerability in dependency growl 1.9.2 #2791

balsamiqFlorian opened this issue May 8, 2017 · 9 comments
Labels
status: needs upstream fix defect within Mocha's dependency tree

Comments

@balsamiqFlorian
Copy link

Hi,

I got a report that mocha includes growl 1.9.2 which is vulnerable to an arbitrary code injection.
https://snyk.io/vuln/npm%3Agrowl%3A20160721?utm_campaign=vuln_alert&utm_medium=email&utm_source=Vuln

This issue is closed in growl 1.9.3.

Thanks.

@ScottFreeCode
Copy link
Contributor

Is there a way we can tell Snyk that Growl 1.9.3 does not in fact exist, and that the commit they reference is only in a fork (so it is possible that in the future Growl 1.9.3 could be published before fixing this issue, thus rendering their instructions incorrect once 1.9.3 does exist)?

If anybody wants to look at whether Mocha is actually at risk from this, I believe these would be the lines to examine:

mocha/lib/mocha.js

Lines 241 to 257 in 8a3cab0

Mocha.prototype._growl = function (runner, reporter) {
var notify = require('growl');
runner.on('end', function () {
var stats = reporter.stats;
if (stats.failures) {
var msg = stats.failures + ' of ' + runner.total + ' tests failed';
notify(msg, { name: 'mocha', title: 'Failed', image: image('error') });
} else {
notify(stats.passes + ' tests passed in ' + stats.duration + 'ms', {
name: 'mocha',
title: 'Passed',
image: image('ok')
});
}
});
};

@ScottFreeCode ScottFreeCode added the status: needs upstream fix defect within Mocha's dependency tree label May 14, 2017
@andris310
Copy link

Got same warning in Node Security Platform https://nodesecurity.io/advisories/146

@Fzzr
Copy link

Fzzr commented Jul 6, 2017

See issue tj/node-growl#60 and PRs tj/node-growl#61 and tj/node-growl#62

@KaiSchwarz-cnic
Copy link

Got same warning using retire.js

faust64 added a commit to faust64/mocha that referenced this issue Jul 14, 2017
Following-up on mochajs#2798 & mochajs#2791, update growl that is known to be vulnerable
brimtown added a commit to brimtown/mocha that referenced this issue Jul 17, 2017
* Growl 1.9.2 is vulnerable to arbitrary code injection,
  and causes security warnings for Mocha users
* Upgrade Growl to 1.10.2, and address issue mochajs#2791
@davorivas
Copy link

I am getting the same error and my tests in circleCI are not passing because of this "vulnerability"

(+) 1 vulnerabilities found
┌───────────────┬───────────────────────────────────────────────────────┐
│ │ Command Injection │
├───────────────┼───────────────────────────────────────────────────────┤
│ Name │ growl │
├───────────────┼───────────────────────────────────────────────────────┤
│ CVSS │ 9.8 (Critical) │
├───────────────┼───────────────────────────────────────────────────────┤
│ Installed │ 1.9.2 │
├───────────────┼───────────────────────────────────────────────────────┤
│ Vulnerable │ All │
├───────────────┼───────────────────────────────────────────────────────┤
│ Patched │ None │
├───────────────┼───────────────────────────────────────────────────────┤
│ Path │ my-project > [email protected] > [email protected]
├───────────────┼───────────────────────────────────────────────────────┤
│ More Info │ https://nodesecurity.io/advisories/146
└───────────────┴───────────────────────────────────────────────────────┘

@janvennemann
Copy link

As a workaround, until a decision was made on #2930 and mocha being a dev dependency in almost all cases, you can resort to only check your production dependencies with retire -p. NSP seems to do this by default as i'm getting no vulnerability warnings when running against a project that uses mocha as a dev dependency. If you still want to check your dev dependencies, explicitly ignore growl for the time being by adding @growl to your .retireignore or the more detailed .retireignore.json

@nitrocode
Copy link

@janvennemann thanks

✗ cat .retireignore.json
[
  {
    "component": "growl",
    "version" : "1.9.2",
    "justification" : "Ignored according to mocha issue #2791: https://github.com/mochajs/mocha/issues/2791#issuecomment-319963186"
  }
]

@boneskull
Copy link
Contributor

fixed

@matdotcom
Copy link

matdotcom commented Aug 13, 2019

I have updated to 1.10.5 still have this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status: needs upstream fix defect within Mocha's dependency tree
Projects
None yet
Development

No branches or pull requests

10 participants