Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2022-25858][1.x]Bump terser from 4.8.0 to 4.8.1 #3726

Merged
merged 2 commits into from
Apr 5, 2023
Merged

[CVE-2022-25858][1.x]Bump terser from 4.8.0 to 4.8.1 #3726

merged 2 commits into from
Apr 5, 2023

Conversation

ananzh
Copy link
Member

@ananzh ananzh commented Mar 29, 2023

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 is vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions. Currently, 1.x is using version 4.8.0.

ubuntu@ip-172-31-55-237:~/work/OpenSearch-Dashboards$ yarn why terser
yarn why v1.22.19
[1/4] Why do we have the module "terser"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~3.7.2"
warning Resolution field "shelljs@0.8.5" is incompatible with requested version "shelljs@^0.6.0"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "terser@4.8.0"
info Reasons this module exists
   - "_project_#@osd#optimizer#terser-webpack-plugin" depends on it
   - Hoisted from "_project_#@osd#optimizer#terser-webpack-plugin#terser"
   - Hoisted from "_project_#@osd#ui-shared-deps#webpack#terser-webpack-plugin#terser"
info Disk size without dependencies: "1.86MB"
info Disk size with unique dependencies: "2.86MB"
info Disk size with transitive dependencies: "2.88MB"
info Number of shared dependencies: 4
Done in 1.03s.

terser is a dependency of terser-webpack-plugin . We are two versions of terser-webpack-plugin in 1.x, 2.3.7 and 1.4.4.

ubuntu@ip-172-31-55-237:~/work/OpenSearch-Dashboards$ yarn why terser-webpack-plugin
yarn why v1.22.19
[1/4] Why do we have the module "terser-webpack-plugin"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~3.7.2"
warning Resolution field "shelljs@0.8.5" is incompatible with requested version "shelljs@^0.6.0"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "terser-webpack-plugin@2.3.7"
info Reasons this module exists
   - "_project_#@osd#optimizer" depends on it
   - Hoisted from "_project_#@osd#optimizer#terser-webpack-plugin"
info Disk size without dependencies: "704KB"
info Disk size with unique dependencies: "4.92MB"
info Disk size with transitive dependencies: "10.18MB"
info Number of shared dependencies: 68
=> Found "webpack#terser-webpack-plugin@1.4.4"
info This module exists because "_project_#@osd#ui-shared-deps#webpack" depends on it.
info Disk size without dependencies: "92KB"
info Disk size with unique dependencies: "3.58MB"
info Disk size with transitive dependencies: "8.13MB"
info Number of shared dependencies: 66
Done in 1.20s.
  • terser-webpack-plugin v2.3.7 uses "terser": "^4.6.12" here. The last version on major version 2 is v2.3.8 which also uses the same, see here.
  • terser-webpack-plugin v1.4.4 uses "terser": "^4.1.2" here. The last version on major version 1 is v1.4.5 which also uses the same, see here.

Both range of "terser": "^4.6.12" and "terser": "^4.1.2" indicate that terser could be bumped to 4.8.1. The fix is to set a resolution to the target version.

Issues Resolved

#1907

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
    • yarn test:ftr
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

@ananzh ananzh requested a review from joshuarrrr March 29, 2023 22:33
@ananzh ananzh added cve Security vulnerabilities detected by Dependabot or Mend backport 1.3 labels Mar 29, 2023
@ananzh ananzh requested a review from abbyhu2000 March 29, 2023 22:35
joshuarrrr
joshuarrrr reviewed Mar 29, 2023
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
@codecov-commenter
Copy link

codecov-commenter commented Mar 29, 2023
edited
Loading

Codecov Report

Merging #3726 (9af4939) into 1.x (53ae3cf) will not change coverage.
The diff coverage is n/a.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@           Coverage Diff           @@
##              1.x    #3726   +/-   ##
=======================================
  Coverage   67.50%   67.50%           
=======================================
  Files        3044     3044           
  Lines       58692    58692           
  Branches     8902     8902           
=======================================
  Hits        39619    39619           
  Misses      16925    16925           
  Partials     2148     2148
Flag Coverage Δ
Linux 67.45% <ø> (ø)
Windows 67.45% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@ananzh
[CVE-2022-25858][1.x]Bump terser from 4.8.0 to 4.8.1
707beff 
Issue Resolved:
opensearch-project#1907

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
@ananzh ananzh added the v1.3.9 label Mar 30, 2023
joshuarrrr
joshuarrrr previously approved these changes Mar 30, 2023
View reviewed changes
kristenTian
kristenTian previously approved these changes Mar 31, 2023
View reviewed changes
@ananzh ananzh dismissed stale reviews from kristenTian and joshuarrrr via 9af4939 April 3, 2023 16:33
@joshuarrrr joshuarrrr merged commit 39818e3 into opensearch-project:1.x Apr 5, 2023
@joshuarrrr joshuarrrr added v1.3.10 and removed v1.3.9 labels Apr 5, 2023
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Apr 5, 2023
Merged
opensearch-trigger-bot bot pushed a commit that referenced this pull request Apr 5, 2023
@github-actions
[CVE-2022-25858][1.x] Bump terser from 4.8.0 to 4.8.1 (#3726)
18fdbd5 
Issue Resolved:
#1907

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
(cherry picked from commit 39818e3)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md
ananzh pushed a commit that referenced this pull request Apr 14, 2023
@opensearch-trigger-bot @github-actions @joshuarrrr
[Backport 1.3] [CVE-2022-25858][1.x]Bump terser from 4.8.0 to 4.8.1 (#…
240bcf5 
…3786)

* [CVE-2022-25858][1.x] Bump terser from 4.8.0 to 4.8.1 (#3726)

Issue Resolved:
#1907

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
(cherry picked from commit 39818e3)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Signed-off-by: Josh Romero <rmerqg@amazon.com>

---------

Signed-off-by: Josh Romero <rmerqg@amazon.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kristenTian kristenTian kristenTian approved these changes

@ashwin-pc ashwin-pc ashwin-pc approved these changes

@joshuarrrr joshuarrrr joshuarrrr approved these changes

@abbyhu2000 abbyhu2000 Awaiting requested review from abbyhu2000 abbyhu2000 is a code owner

Assignees

@joshuarrrr joshuarrrr

Labels
backport 1.3 cve Security vulnerabilities detected by Dependabot or Mend v1.3.10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ananzh @codecov-commenter @joshuarrrr @ashwin-pc @kristenTian