Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Snyk: snowflake-connector-nodejs word-wrap 1.2.3 | Snyk ID - SNYK-JS-WORDWRAP-3149973 #454

Closed
github-actions bot opened this issue Mar 23, 2023 · 13 comments
Closed

Snyk: snowflake-connector-nodejs word-wrap 1.2.3 | Snyk ID - SNYK-JS-WORDWRAP-3149973 #454

github-actions bot opened this issue Mar 23, 2023 · 13 comments
Assignees
@sfc-gh-ext-simba-ti
Labels
security vulnerability Security vulnerability detected by WhiteSource

Comments

@github-actions
Copy link

Title: Snyk: snowflake-connector-nodejs word-wrap 1.2.3
Additional information on Snyk can be found here: https://snyk.io/org/snowflakedb-sca-scanning-public-repo/project/957b80fa-27c7-404f-98b8-90d7c14dc6ef
Repo: snowflake-connector-nodejs
CVE: CVE-2023-26115
Package Type: js
Package Name: word-wrap
Package Version: 1.2.3
Snyk ID: SNYK-JS-WORDWRAP-3149973
Vulnerability URL: http://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973
Severity: medium
Introduced Date: 2023-03-23
Projects with Vulnerability: snowflakedb/snowflake-connector-nodejs:package.json
Target File: package.json
JIRA Ticket: https://snowflakecomputing.atlassian.net/browse/SNOW-767109
@sfc-gh-ext-simba-ti sfc-gh-ext-simba-ti self-assigned this Mar 23, 2023
@sfc-gh-dszmolka sfc-gh-dszmolka added security vulnerability Security vulnerability detected by WhiteSource status-in_progress Issue is worked on by the driver team labels Mar 29, 2023
@sfc-gh-dszmolka
Copy link
Collaborator

jonschlinkert/word-wrap#33

@bgswilde
Copy link

Hey Snowflake team. Any update on this from your end? I've seen past issues/prs involving urllib, but doesn't seem like you wanted to tackle this? Version 3 doesn't include the problematic dependencies that seem to be causing multiple vulnerabilities that the version you use is bringing in.

@sfc-gh-dszmolka
Copy link
Collaborator

hey @bgswilde apologies for not being more transparent on this one. behind the curtains we're very much busy with this so I would not say we don't want to tackle this issue.

We cannot just simply bump the urllib dependency to version 3.x and be done with it, because that would also require refactoring and testing efforts in other parts of the driver, as urllib version 3.0.0 and up comes with a breaking change.

we're considering short-term workarounds and long-term solutions to address this security issue. Will post here any updates once they are agreed-upon and available.

@bgswilde
Copy link

@sfc-gh-dszmolka thanks for the update!

@tony-snoop
Copy link

FYI: Upvoting this issue as this vulnerability is also being flagged on our end by snyk:

[email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected]

@sfc-gh-dszmolka
Copy link
Collaborator

(this is still not forgotten and very much on the table. but as you can see in the original PR opened for the original word-wrap vulnerability (link), even there is a disagreement on the approach and we would like to be careful what and how to make part of our driver. thank you all for bearing with us!)

@Martin-Locker
Copy link

The direct dependent (optionator 0.9.3) uses now the fixed lib"@aashutoshrathi/word-wrap".
But I think it will be necessary to upgrade to urllib 3.x. And even that will not help, because degenerator does not use the new version of escodegen. npm hell...It is possible the get rid of urllib? There are other vulnerabilities like in semver.

Actual Problem:
-- [email protected] -- [email protected]
-- [email protected] -- [email protected]
-- [email protected] -- [email protected]
-- [email protected] -- [email protected]
`-- [email protected]

Problem with semver (os-name is fixed, but seem not to be merged link )

+-- [email protected]
| +-- [email protected]
| | -- [email protected] deduped | -- [email protected]
| -- [email protected] | -- [email protected]
| -- [email protected] | -- [email protected]

@sfc-gh-dszmolka
Copy link
Collaborator

entirely replacing the dependency which provides the very core functionality of snowflake-sdk (talking to Snowflake over HTTP) is not a trivial task, but indeed it is on the agenda - and is not in scope for this particular Issue.
Even the urllib upgrade needs refactor due to the aforementioned breaking change.

what is in scope is fixing the word-wrap vulnerability where we on the short term will probably take the approach as everyone else out there; override the vulnerable word-wrap library with the fixed one, since the original developer doesn't seem to be merging the fix into their module.

as there's any new information will post here. thank you everyone for bearing with us !

@animesh-net animesh-net mentioned this issue Jul 10, 2023
Closed
@sfc-gh-dszmolka
Copy link
Collaborator

#527

@sfc-gh-dszmolka sfc-gh-dszmolka added status-pr_pending_merge A PR is made and is under review and removed status-in_progress Issue is worked on by the driver team labels Jul 10, 2023
@sfc-gh-dszmolka
Copy link
Collaborator

PR is merged (override word-wrap with the fix included in @aashutoshrathi/[email protected] as the word-wrap maintainer doesn't merge the PR and seems to have abandoned the project , see the ongoing conversation on jonschlinkert/word-wrap#33)
will be part of the next release which is expected towards end of July

@sfc-gh-dszmolka sfc-gh-dszmolka added status-fixed_awaiting_release The issue has been fixed, its PR merged, and now awaiting the next release cycle of the connector. and removed status-pr_pending_merge A PR is made and is under review labels Jul 11, 2023
@bgswilde
Copy link

Just want to make you guys aware, some things are getting merged in the word-wrap repo finally to address this. They went with a different solution than PR#33 on there, but this should prevent you from having to use an override.

jonschlinkert/word-wrap#41

@tony-snoop
Copy link

Cheers @bgswilde - appreciate the updates you guys are making and for keeping us in the loop

@sfc-gh-dszmolka
Copy link
Collaborator

sfc-gh-dszmolka commented Jul 18, 2023
edited
Loading

yup just wanted to share the good news, word-wrap 1.2.4 finally released and a fresh install of snowflake-sdk automatically picks up the fixed version.

edit: override reverted in #579 , this concludes the fix which is automatically picked up upon snowflake-sdk (re)install, it is already available.
thank you everyone for bearing with us on this journey ;)

@sfc-gh-dszmolka sfc-gh-dszmolka removed the status-fixed_awaiting_release The issue has been fixed, its PR merged, and now awaiting the next release cycle of the connector. label Jul 19, 2023
@sfc-gh-dszmolka sfc-gh-dszmolka mentioned this issue Jul 22, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sfc-gh-ext-simba-ti sfc-gh-ext-simba-ti

Labels
security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Martin-Locker @sfc-gh-dszmolka @bgswilde @tony-snoop @sfc-gh-ext-simba-ti