Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crash in HeaderParser in dicer #1729

Closed
kirank21 opened this issue May 27, 2022 · 9 comments
Closed

Crash in HeaderParser in dicer #1729

kirank21 opened this issue May 27, 2022 · 9 comments
Labels
needs-triage

Comments

@kirank21
Copy link

Installed package firebase-admin@^10.0.2 which has dependency upon dicer "^0.3.0".

GitHub Advisory has notified me regarding the Crash in HeaderParser in dicer with High severity status.

Please help me fix this security issue.

Capture
@google-oss-bot
Copy link

I found a few problems with this issue:

  • I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
  • This issue does not seem to follow the issue template. Make sure you provide all the required information.

@BowTiedSwan
Copy link

Hi team, this issue seems to be critical as the dicer package hasn't had a patch fixing it:
image

@mgav
Copy link

mgav commented May 27, 2022
edited
Loading

"…affects all versions of package dicer."

Running "npm audit report" for me yields:

dicer * Severity: high Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2 fix available via npm audit fix --force`
Will install firebase-functions@2.3.1, which is a breaking change
node_modules/dicer
busboy <=0.3.1
Depends on vulnerable versions of dicer
node_modules/busboy
@apollographql/graphql-upload-8-fork *
Depends on vulnerable versions of busboy
node_modules/@apollographql/graphql-upload-8-fork
apollo-server-core 2.21.0-alpha.0 - 2.25.4
Depends on vulnerable versions of @apollographql/graphql-upload-8-fork
node_modules/apollo-server-core
apollo-server-express 2.0.1 || 2.21.0-alpha.0 - 2.25.4
Depends on vulnerable versions of apollo-server-core
node_modules/apollo-server-express
@vue/cli-ui >=5.0.0-alpha.0
Depends on vulnerable versions of apollo-server-express
node_modules/@vue/cli-ui
@vue/cli >=5.0.0-alpha.0
Depends on vulnerable versions of @vue/cli-ui
node_modules/@vue/cli
firebase-admin >=7.1.0
Depends on vulnerable versions of dicer
node_modules/firebase-admin
firebase-functions >=3.0.0
Depends on vulnerable versions of firebase-admin
node_modules/firebase-functions

9 high severity vulnerabilities

To address all issues (including breaking changes), run:
npm audit fix --force`

Here's a link to the official "npm audit" docs: https://docs.npmjs.com/cli/v8/commands/npm-audit

Of course "npm audit fix --force" can create other problems.

CharithJ writes* "Most of the time do not do this. Running audit fix will update some of the packages but not all their dependencies which can causes run time errors."

I'm a novice and have not tried this and am **NOT suggesting to do it, but the docs mention "Do a dry run to get an idea of what audit fix will do, and also output install information in JSON format:" npm audit fix --dry-run --json

I wonder if there's an option to do a "dry run" on "force" (npm audit fix --force --dry-run --json), even though it's not mentioned?

@Kondamon
Copy link

It seems it will be not fixed in dicer: mscdex/dicer#22
However, a fix is on going in multer expressjs/multer#1097

@Kondamon
Copy link

Duplicate of #1512

@mgav
Copy link

mgav commented May 27, 2022

Duplicate of #1512

FYI, that issue was opened Dec 4, 2021

@lahirumaramba
Copy link
Member

Please see my reply to #1718 (comment)
The Admin Node.js SDK uses dicer to parse multipart responses from Firebase APIs so the risk here is pretty minimal. However, I agree that it would be great to address this properly. We are currently looking into the available options.

I am going to close this issue as we will continue to track this in #1718. Thanks everyone.

@RoadAssist
Copy link

Is there any workaround available guys ?

@mgav
Copy link

mgav commented Jun 3, 2022

Preamble: I am a novice and this is not advice on what you should do - I'm just relaying what I did and what the outcome was.

After deploying my Vuejs3 app a week ago to Firebase, I was prompted to upgrade to the newest version of Firebase Tools (11.0.1) via npm. After doing this, I began experiencing the problem detailed in my comment above.

Having no other solutions on the table, I decided to uninstall firebase tools (npm uninstall -g firebase-tools) and then reinstall the previous version (npm install -g firebase-tools@10.9.2).

BUT, after first time I did this, I ran npm audit fix (not npm audit fix --force) and all I got a ton of high severity warnings and problems.

So I decided to once again uninstall firebase tools (npm uninstall -g firebase-tools) and then reinstall the previous version (npm install -g firebase-tools@10.9.2) and that's it (did NOT run npm audit fix).

I proceeded to npm run build and firebase deploy --only hosting and it worked just fine. Definitely NOT a great or long-term solution. Good luck!

@mgav mgav mentioned this issue Jun 3, 2022
Closed
@takeratta takeratta mentioned this issue Jul 11, 2023
Open
@Jeremip11 Jeremip11 mentioned this issue Dec 5, 2023
Open
@takeratta takeratta mentioned this issue Dec 6, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@lahirumaramba @mgav @Kondamon @google-oss-bot @kirank21 @BowTiedSwan @RoadAssist