Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prototype Pollution in protobufjs #6438

Closed
landsman opened this issue Jul 15, 2022 · 2 comments · Fixed by #6442
Closed

Prototype Pollution in protobufjs #6438

landsman opened this issue Jul 15, 2022 · 2 comments · Fixed by #6442
Labels
api: core api: firestore v9

Comments

@landsman
Copy link

landsman commented Jul 15, 2022
edited
Loading

[REQUIRED] Describe your environment

  • Firebase SDK version: 9.9.0
  • Firebase Product: auth

We have a report on security vulnerability thanks to Github in our private repository.
I want to get rid of it.

Screenshot 2022-07-15 at 12 42 57

More info: GHSA-g954-5hwp-pp24

I found that's because of dependency used in firebase package.

landsman@M1 pay % yarn why protobufjs
└─ @grpc/proto-loader@npm:0.6.9
   └─ protobufjs@npm:6.11.2 (via npm:^6.10.0)

landsman@M1 pay % yarn why @grpc/proto-loader
├─ @firebase/firestore@npm:3.4.12
│  └─ @grpc/proto-loader@npm:0.6.9 (via npm:^0.6.0)
│
├─ @firebase/firestore@npm:3.4.12 [2e82b]
│  └─ @grpc/proto-loader@npm:0.6.9 (via npm:^0.6.0)
│
├─ @firebase/firestore@npm:3.4.12 [4fc2d]
│  └─ @grpc/proto-loader@npm:0.6.9 (via npm:^0.6.0)
│
└─ @grpc/grpc-js@npm:1.5.4
   └─ @grpc/proto-loader@npm:0.6.9 (via npm:^0.6.4)
landsman@M1 pay % yarn why @firebase/firestore
├─ @firebase/firestore-compat@npm:0.1.21
│  └─ @firebase/firestore@npm:3.4.12 (via npm:3.4.12)
│
├─ @firebase/firestore-compat@npm:0.1.21 [4fc2d]
│  └─ @firebase/firestore@npm:3.4.12 [2e82b] (via npm:3.4.12 [2e82b])
│
└─ firebase@npm:9.9.0
   └─ @firebase/firestore@npm:3.4.12 [4fc2d] (via npm:3.4.12 [4fc2d])

landsman@M1 pay % yarn why firebase
├─ @trisbee/auth@npm:2.4.1::__archiveUrl=https%3A%2F%2Fnpm.pkg.github.com%2Fdownload%2F%40trisbee%2Fauth%2F2.4.1%2F80d963c5a50747b534098e6b0acda096db8668f211b78925e8cd57e50011f751
│  └─ firebase@npm:9.9.0 (via npm:^9.9.0)
│
└─ @trisbee/auth@npm:2.4.1::__archiveUrl=https%3A%2F%2Fnpm.pkg.github.com%2Fdownload%2F%40trisbee%2Fauth%2F2.4.1%2F80d963c5a50747b534098e6b0acda096db8668f211b78925e8cd57e50011f751 [40f58]
   └─ firebase@npm:9.9.0 (via npm:^9.9.0)

landsman@M1 pay % yarn why @firebase/firestore-compat
└─ firebase@npm:9.9.0
   └─ @firebase/firestore-compat@npm:0.1.21 [4fc2d] (via npm:0.1.21 [4fc2d])

Can you please help me to resolve it? 🙏
I already have an up-to-date version of the firebase.

Is the fix already in progress?
I can't know because the security vulnerability reports are private, in custom Google form, not here on Github where I would expect them when they are confirmed 😢
@google-oss-bot
Copy link
Contributor

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

@hsubox76
Copy link
Contributor

Thanks for bringing this up. All work on this repo specifically should be publicly viewable in issues and PRs, as well as in any dependencies that are open source. I think we can fix the issue by updating the @grpc/proto-loader to version 0.6.13, as they bumped their version of protobufjs in that change: https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fproto-loader%400.6.13

I'll make a PR.

@hsubox76 hsubox76 mentioned this issue Jul 15, 2022
Merged
@google-oss-bot google-oss-bot mentioned this issue Jul 19, 2022
Merged
@firebase firebase locked and limited conversation to collaborators Aug 19, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
api: core api: firestore v9
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update @grpc/proto-loader dep to address protobufjs security issue firebase/firebase-js-sdk
4 participants
@landsman @hsubox76 @google-oss-bot @jbalidiong