Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2021-23382][1.x] Bump postcss from 8.2.10 to 8.2.13 #3739

Merged
merged 2 commits into from
Mar 30, 2023

Conversation

ananzh
Copy link
Member

@ananzh ananzh commented Mar 30, 2023

Issue Resolve

#1094

Description

This CVE requires to bump postcss to be <7.0.36||>=8.0.0 <8.2.13. The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*). In 1.x we are using postcss under two versions, 8.2.10 and 7.0.36.

ubuntu@ip-172-31-55-237:~/work/OpenSearch-Dashboards$ yarn why postcss
yarn why v1.22.19
[1/4] Why do we have the module "postcss"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~3.7.2"
warning Resolution field "shelljs@0.8.5" is incompatible with requested version "shelljs@^0.6.0"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "postcss@8.2.10"
info Has been hoisted to "postcss"
info Reasons this module exists
   - "workspace-aggregator-ba40e46f-2bf0-45d1-a0c7-52702aefb59c" depends on it
   - Specified in "devDependencies"
   - Hoisted from "_project_#@osd#optimizer#postcss"
   - Hoisted from "_project_#@osd#ui-framework#postcss"
   - Hoisted from "_project_#postcss"
info Disk size without dependencies: "312KB"
info Disk size with unique dependencies: "1.25MB"
info Disk size with transitive dependencies: "1.25MB"
info Number of shared dependencies: 3
=> Found "postcss-loader#postcss@7.0.36"
info This module exists because "_project_#@osd#ui-framework#postcss-loader" depends on it.
info Disk size without dependencies: "684KB"
info Disk size with unique dependencies: "1.58MB"
info Disk size with transitive dependencies: "1.81MB"
info Number of shared dependencies: 7
=> Found "autoprefixer#postcss@7.0.36"
info This module exists because "_project_#@osd#optimizer#autoprefixer" depends on it.
info Disk size without dependencies: "684KB"
info Disk size with unique dependencies: "1.58MB"
info Disk size with transitive dependencies: "1.81MB"
info Number of shared dependencies: 7
=> Found "css-loader#postcss@7.0.36"
info This module exists because "_project_#@osd#ui-framework#css-loader" depends on it.
info Disk size without dependencies: "684KB"
info Disk size with unique dependencies: "1.58MB"
info Disk size with transitive dependencies: "1.81MB"
info Number of shared dependencies: 7
=> Found "icss-utils#postcss@7.0.36"
info This module exists because "_project_#@osd#ui-framework#css-loader#icss-utils" depends on it.
info Disk size without dependencies: "684KB"
info Disk size with unique dependencies: "1.58MB"
info Disk size with transitive dependencies: "1.81MB"
info Number of shared dependencies: 7
=> Found "postcss-modules-local-by-default#postcss@7.0.36"
info This module exists because "_project_#@osd#ui-framework#css-loader#postcss-modules-local-by-default" depends on it.
info Disk size without dependencies: "684KB"
info Disk size with unique dependencies: "1.58MB"
info Disk size with transitive dependencies: "1.81MB"
info Number of shared dependencies: 7
=> Found "postcss-modules-extract-imports#postcss@7.0.36"
info This module exists because "_project_#@osd#ui-framework#css-loader#postcss-modules-extract-imports" depends on it.
info Disk size without dependencies: "684KB"
info Disk size with unique dependencies: "1.58MB"
info Disk size with transitive dependencies: "1.81MB"
info Number of shared dependencies: 7
=> Found "postcss-modules-scope#postcss@7.0.36"
info This module exists because "_project_#@osd#ui-framework#css-loader#postcss-modules-scope" depends on it.
info Disk size without dependencies: "684KB"
info Disk size with unique dependencies: "1.58MB"
info Disk size with transitive dependencies: "1.81MB"
info Number of shared dependencies: 7
=> Found "postcss-modules-values#postcss@7.0.36"
info This module exists because "_project_#@osd#ui-framework#css-loader#postcss-modules-values" depends on it.
info Disk size without dependencies: "684KB"
info Disk size with unique dependencies: "1.58MB"
info Disk size with transitive dependencies: "1.81MB"
info Number of shared dependencies: 7
Done in 1.12s.

Since 7.0.36 is a safe version. We only need to bump 8.2.10 to 8.2.13, which seems no breaking changes by comparing the two versions.

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
    • yarn test:ftr
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

@ananzh ananzh requested a review from joshuarrrr March 30, 2023 16:45
@ananzh ananzh added cve Security vulnerabilities detected by Dependabot or Mend backport 1.3 labels Mar 30, 2023
Issue Resolve
opensearch-project#1094

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
@ananzh ananzh force-pushed the 1.x-bump-postcss branch from c36864f to 60f9444 Compare March 30, 2023 16:50
@codecov-commenter
Copy link

Codecov Report

Merging #3739 (c36864f) into 1.x (bf1c65f) will decrease coverage by 0.05%.
The diff coverage is n/a.

❗ Current head c36864f differs from pull request most recent head 60f9444. Consider uploading reports for the commit 60f9444 to get more accurate results

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@            Coverage Diff             @@
##              1.x    #3739      +/-   ##
==========================================
- Coverage   67.49%   67.45%   -0.05%     
==========================================
  Files        3044     3044              
  Lines       58692    58692              
  Branches     8902     8902              
==========================================
- Hits        39617    39593      -24     
- Misses      16926    16946      +20     
- Partials     2149     2153       +4     
Flag Coverage Δ
Linux 67.45% <ø> (+<0.01%) ⬆️
Windows ?

Flags with carried forward coverage won't be shown. Click here to find out more.

see 6 files with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@ananzh ananzh added the v1.3.9 label Mar 30, 2023
@joshuarrrr joshuarrrr assigned ananzh and unassigned joshuarrrr Mar 30, 2023
@ananzh ananzh assigned joshuarrrr and unassigned ananzh Mar 30, 2023
@ananzh ananzh merged commit 53d2d91 into opensearch-project:1.x Mar 30, 2023
@opensearch-trigger-bot
Copy link
Contributor

The backport to 1.3 failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/backport-1.3 1.3
# Navigate to the new working tree
pushd ../.worktrees/backport-1.3
# Create a new branch
git switch --create backport/backport-3739-to-1.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 53d2d91b930a63dedebae236ffa1703c2e388752
# Push it to GitHub
git push --set-upstream origin backport/backport-3739-to-1.3
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/backport-1.3

Then, create a pull request where the base branch is 1.3 and the compare/head branch is backport/backport-3739-to-1.3.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cve Security vulnerabilities detected by Dependabot or Mend v1.3.12
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants