Express: dependency cookie-signature v1.0.6 uses sha1, flagged by security tool
I am using express v4.16.4 , it has cookie-signature v1.0.6 as a dependency.
My organization uses a tool called checkmarx which has flagged cookie-parser v1.0.6 as using sha1 and categorized this is as a security vulnerability because sha1 is broken now (sha1, as I understand is being used to avoid timing attacks and not for any kind of cryptographic signing in this case, so this is seems like a false positive).
I also understand that since then cookie-parser has moved on to using crypto.timingSafeEqual instead of sha1 , based on https://github.com/tj/node-cookie-signature/pull/22 and https://github.com/tj/node-cookie-signature/pull/24
are there any plans to have express depend on v1.1.0 of cookie-parser, so that now these false(?) security flags can be avoided?
gaurav5430
All 3 comments
The new version of cookie signature requires node.js that is too high for express. The author has promised to maintain the 1.0.x line for us instead of merging a pr I made to add the support back. I would open an issue on the cookie sigunature to change the signature alg on the 1.0.x line if that is important to you to change.
dougwilson
on 17 Jun 2019
If it helps, this is the PR I opened to add back old Node.js support to the module https://github.com/tj/node-cookie-signature/pull/25 and this was the main comment for the non-merge:
unless something comes up with 1.0.6. Closing this PR "without prejudice", i.e. would be willing to re-open it if there's a compelling need from a major consumer of this library.
dougwilson
on 17 Jun 2019
Thanks for this information.
I think in my case, this should be enough information to close the false positive issue flagged by the security tool.
gaurav5430
on 17 Jun 2019
Related issues
extensionsapp
路
3Comments
Sunriselegacy
路
3Comments
Domiii
路
3Comments
afanasy
路
3Comments
wxs77577
路
3Comments