(security)(RCE) Upgrade jsonpath-plus to @^10.0.0

[adrsimon]

Hello,

Snyk reported a security issue in one of my repos, because of one of the dependencies used by dd-trace-js.
You can find the report here : https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884

dd-trace-js uses jsonpath-plus@^9.0.0 which contains a RCE.

The only thing to do is upgrade the lib.

Thanks !

[AidenPoultonProlific]

We're using pnpm and adding the following to package.json at least bumped the dependency for us, a quick ephemeral deployment shows tracing is still working however it's hard to say there aren't side-effects from this, so I would tread carefully if you're pushing this out to production. (especially ahead of the weekend)

 "pnpm": {
    "overrides": {
      "jsonpath-plus": "10.0.0"
    }
  }

[monwolf]

For searching purposes, this relates to CVE-2024-21534

[lilasquared]

overriding is fine but could we get a bumped version of dd-trace package so we can get the updated jsonpath package in downstream projects without needing to configure overrides or resolutions?

[adrsimon]

https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884

The vulnerability was finally not solved by the latest version of jsonpath-plus, and there is, for the moment, no version without the vulnerability.

@watson i'll allow myself to ping you, you're the one who closed the issue, should it maybe be re-opened with the goal of finding a workaround to the use of this lib ? tbh i have no clue of the impact it has on dd-trace codebase, and if another solution than the use of the lib is possible.

idk either if dd-trace uses the functionnalities of jsonpath-plus impacted by the RCE, but if so then it may be important to have a look at a possible workaround

here's the issue JSONPath-Plus/JSONPath#226 on jsonpath-plus side

[juancarlosjr97]

@adrsimon it has been fixed on v10.0.1 of jsonpath-plus JSONPath-Plus/JSONPath@0bf1665

[roippi]

If there are other pathways to Function or such, they may still be vulnerable.

From the dev that shipped the 10.0.1 fix. I can't say that that statement fills me with confidence that the RCE vuln is fixed for good.

[tylerzey]

I see there's a copy/paste file from jsonpath-plus here:

dd-trace-js/packages/dd-trace/src/payload-tagging/jsonpath-plus.js

Line 4 in d7b1dad

//

That should be unimpacted by this change because it's from version 10, right?

Does dd-trace use the feature that isn't resolved in version 10?