Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Core: Replace ip function to address security concerns #27529

Merged
merged 7 commits into from
Jun 5, 2024
Merged

Core: Replace ip function to address security concerns #27529

merged 7 commits into from
Jun 5, 2024

Conversation

tony19
Copy link
Contributor

@tony19 tony19 commented Jun 4, 2024

Copy of #26073 by @cosieLq


Closes #26014

What I did

I've listened to the suggestion from #26025 and added a small helper function to replace ip.address, so that we can remove the insecure package ip. What the helper function does is essentially the same as ip.address: it returns the first remotely accessible IPv4 address or otherwise the loopback.

Checklist for Contributors

Testing

The changes in this PR are covered in the following automated tests:

  • stories
  • unit tests
  • integration tests
  • end-to-end tests

Manual testing

This section is mandatory for all contributions. If you believe no manual test is necessary, please state so explicitly. Thanks!

Documentation

  • Add or update documentation reflecting your changes
  • If you are deprecating/removing a feature, make sure to update
    MIGRATION.MD

Checklist for Maintainers

  • When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli/src/sandbox-templates.ts

  • Make sure this PR contains one of the labels below:

    Available labels
    • bug: Internal changes that fixes incorrect behavior.
    • maintenance: User-facing maintenance tasks.
    • dependencies: Upgrading (sometimes downgrading) dependencies.
    • build: Internal-facing build tooling & test updates. Will not show up in release changelog.
    • cleanup: Minor cleanup style change. Will not show up in release changelog.
    • documentation: Documentation only changes. Will not show up in release changelog.
    • feature request: Introducing a new feature.
    • BREAKING CHANGE: Changes that break compatibility in some way with current major version.
    • other: Changes that don't fit in the above categories.

🦋 Canary release

This pull request has been released as version 0.0.0-pr-27529-sha-07e8bc7b. Try it out in a new sandbox by running npx storybook@0.0.0-pr-27529-sha-07e8bc7b sandbox or in an existing project with npx storybook@0.0.0-pr-27529-sha-07e8bc7b upgrade.

More information
Published version 0.0.0-pr-27529-sha-07e8bc7b
Triggered by @valentinpalkovic
Repository tony19-contrib/storybook
Branch refactor/ip
Commit 07e8bc7b
Datetime Wed Jun 5 05:20:43 UTC 2024 (1717564843)
Workflow run 9378628230

To request a new release of this pull request, mention the @storybookjs/core team.

core team members can create a new canary release here or locally with gh workflow run --repo storybookjs/storybook canary-release-pr.yml --field pr=27529

@valentinpalkovic valentinpalkovic self-assigned this Jun 4, 2024
@valentinpalkovic valentinpalkovic added maintenance User-facing maintenance tasks security ci:normal labels Jun 4, 2024
@cosieLq
Copy link
Contributor

cosieLq commented Jun 4, 2024

@tony19 Thank you! Indeed, let's fix this by removing 'ip'.

@kasperpeulen
Copy link
Contributor

kasperpeulen commented Jun 4, 2024

@tony19 I would like to merge this. Can you fix the yarn.lock issue?

@kasperpeulen kasperpeulen added the patch:yes Bugfix & documentation PR that need to be picked to main branch label Jun 4, 2024
@storybook-bot
Copy link
Contributor

Failed to publish canary version of this pull request, triggered by @valentinpalkovic. See the failed workflow run at: https://github.com/storybookjs/storybook/actions/runs/9366149836

@valentinpalkovic
Copy link
Contributor

@tony19 Could you please allow the contribution on this branch for maintainers? I would like to update the lock file, which is not up to date. Or just run yarn install in the code directory and push the updated lock file, otherwise I am not able to create a canary release and CI keeps also failing

@tony19
Copy link
Contributor Author

tony19 commented Jun 4, 2024

@kasperpeulen @valentinpalkovic I don't see the option to enable maintainer access on this PR, but I've added you both to my fork as maintainers in case that's still needed. I'll update the lockfile... done.

Copy link

nx-cloud bot commented Jun 5, 2024

☁️ Nx Cloud Report

CI is running/has finished running commands for commit 07e8bc7. As they complete they will appear below. Click to see the status, the terminal output, and the build insights.

📂 See all runs for this CI Pipeline Execution


✅ Successfully ran 1 target

Sent with 💌 from NxCloud.

@valentinpalkovic valentinpalkovic merged commit 70467ec into storybookjs:next Jun 5, 2024
51 of 52 checks passed
storybook-bot pushed a commit that referenced this pull request Jun 5, 2024
Core: Replace ip function with a small helper function to address security concerns
(cherry picked from commit 70467ec)
storybook-bot pushed a commit that referenced this pull request Jun 5, 2024
Core: Replace ip function with a small helper function to address security concerns
(cherry picked from commit 70467ec)
@cosieLq
Copy link
Contributor

cosieLq commented Jun 5, 2024

@valentinpalkovic is it possible to roll this out not only for Storybook V8 but for Storybook V7 as well? Given that this is a security fix to core.

@valentinpalkovic
Copy link
Contributor

Just for context: The reported security vulnerability with the affected ip.isPublic() method is not used by Storybook. Hence, the vulnerability reported by npm audit doesn't affect Storybook users in general. You are still save to use Storybook 7.

Do we want to patch this back to 7 nonetheless @shilman?

@cosieLq
Copy link
Contributor

cosieLq commented Jun 5, 2024

@valentinpalkovic Thank you for your answer! For users of Storybook V7, it'd be very useful if this is patched back to V7, since any deploy pipeline consisting of dependency audit will otherwise fail.

storybook-bot pushed a commit that referenced this pull request Jun 5, 2024
Core: Replace ip function with a small helper function to address security concerns
(cherry picked from commit 70467ec)
@valentinpalkovic
Copy link
Contributor

valentinpalkovic commented Jun 5, 2024

I understand your concerns. We have defined here in which particular cases patches for security vulnerabilities are patched back. In this case, though, Storybook wasn't affected by the security vulnerability because we haven't used the affected API. Because of that, it is very unlikely that we will patch this fix back to Storybook 7.

Can you explain for which specific reasons you're stuck on Storybook 7?

@cosieLq
Copy link
Contributor

cosieLq commented Jun 5, 2024

The reasons are mainly priority of work. In my case (I believe relatable to many others), Storybook is deployed for the benefit of UX designers. Upgrade is not considered high priority especially when it involves some work, in comparison with other development work, as long as nothing breaks or goes deprecated. However, security is considered high priority and a vulnerable dependency, even slightly, will trigger a failed pipeline and be reflected in things such as dependency check dashboard etc.

I understand your concerns. We have defined here in which particular cases patches for security vulnerabilities are patched back. In this case, though, Storybook wasn't affected by the security vulnerability because we haven't used the affected API. Because of that, it is very unlikely that we will patch this fix back to Storybook 7.

Can you explain for which specific reasons you're stuck on Storybook 7?

@taramason
Copy link

Hi Storybook team! @valentinpalkovic et al. : I'm trying to give my Architect team an update on when the patch to 8.1.6 will be released. They are itching to remove Storybook from our repo b/c of the ip security concern. I would really like to keep it as my team in particular use Storybook a lot.

Is there a chance the patch will be merged soon? I notice it has been around for a few weeks so I'm not sure if there is a schedule or cadence (or, perhaps, I could convince someone to merge it sooner rather than later 😬).

Thank you!

@github-actions github-actions bot added the patch:done Patch/release PRs already cherry-picked to main/release branch label Jun 5, 2024
@claireramming
Copy link

Can you explain for which specific reasons you're stuck on Storybook 7?

In addition to @cosieLq's reasoning, I'd like to add that storybook 8 requires upgrading svelte to 4+, which my team has yet to do. Until then, we cannot upgrade to Storybook 8, so a patch for Storybook 7 would be greatly appreciated.

@shilman shilman changed the title Core: Replace ip function with a small helper function to address security concerns Core: Replace ip function to address security concerns Jun 6, 2024
@kuhiga
Copy link

kuhiga commented Jun 19, 2024

I would also like to request a patch for Storybook 7. Our team heavily relies on storiesOf for dynamically generated stories and currently lacks the capacity to migrate everything to the experimental indexer API. The experimental indexer API also appears to have bugs in its current state. A patch would be extremely helpful for us.

Thank you.

@shilman
Copy link
Member

shilman commented Jun 20, 2024

Hi @kuhiga. Chatting with the team about getting a 7.6.x patch out this week or so. It's more work than an 8.1.x patch, so some coordination needs to happen on our side.

Separately, regarding storiesOf, can you help me better understand:

  1. What you use storiesOf for, and what's preventing you from migrating CSF?
  2. What are the bugs in the experimental indexer API?

I'm asking in case we need to provide better off-ramps for storiesOf users. We kept storiesOf around for nearly five years after we introduced CSF because we know lots of teams use it. But ultimately it's a dead end, and I want to do everything I can to put it to bed.

@valentinpalkovic valentinpalkovic mentioned this pull request Jun 24, 2024
8 tasks
@valentinpalkovic
Copy link
Contributor

@kuhiga, @claireramming, @cosieLq v7.6.20 was just released, which contains the security hotfix!

@valentinpalkovic valentinpalkovic added needs qa Indicates that this needs manual QA during the upcoming minor/major release and removed needs qa Indicates that this needs manual QA during the upcoming minor/major release labels Jul 5, 2024
alanbsmith pushed a commit to Workday/canvas-kit that referenced this pull request Nov 13, 2024
There were a few security concerns in storybook. Although these seem to be fixed in 8.2 and later, we're still on 7.x. More info can be found [here](storybookjs/storybook#27529).

[category:Dependencies]

Co-authored-by: manuel.carrera <manuel.carrera@workday.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ci:normal maintenance User-facing maintenance tasks patch:done Patch/release PRs already cherry-picked to main/release branch patch:yes Bugfix & documentation PR that need to be picked to main branch security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Bug]: The latest version depends on the highly vulnerable ip package
9 participants