The project class-transformer seems dead. And this issue is marked as moderate
moderate severity
Vulnerable versions: <= 0.2.3
Patched version: No fix
class-transformer through 0.2.3 is vulnerable to Prototype Pollution. The 'classToPlainFromExist' function could be tricked into adding or modifying properties of 'Object.prototype' using a 'proto' payload.
sangdth
All 7 comments
Thanks for the heads up. There is not much we can do from our side right now. Since the TypeStack team is not very responsive to this issue, we might need to consider getting in contact with them directly @kamilmysliwiec?
BrunnerLivio
on 15 Apr 2020
We might need to consider getting in contact with them directly
If the team is not very responsive in their GitHub repository, I doubt that anyone would reply to our direct messages @BrunnerLivio
class-transformer through 0.2.3 is vulnerable to Prototype Pollution. The 'classToPlainFromExist' function could be tricked into adding or modifying properties of 'Object.prototype' using a 'proto' payload.
@sangdth As for this vulnerability, Nest handles this issue internally for several months already so our users shouldn't be affected. https://github.com/nestjs/nest/blob/master/packages/common/pipes/validation.pipe.ts#L159-L165
The project class-transformer seems dead.
Side note: the lack of commits doesn't necessarily mean that "project is dead". Most projects used by big enterprises (like Express in Node.js or Laravel in PHP) barely have any new commits at this point. Sometimes it just means that a project is stable and maintainers don't plan to add more features.
[from the class-validator repo] Should be considered by nest.js, because they heavily depend on this project.
We don't heavily depend on this project (in fact, we don't depend on it at all). We recommend using it for 2 features though.
If any other security vulnerabilities arise in the future (which we can't workaround/fix on our side), then I'll consider simply porting this library in the NestJS organization.
kamilmysliwiec
on 15 Apr 2020
Thanks for the clarification.
sangdth
on 15 Apr 2020
We don't heavily depend on this project (in fact, we don't depend on it at all). We recommend using it for 2 features though.
@kamilmysliwiec It may only be 2 features but if you start using class-validator for validation as suggested in the docs[1][2], the dependency on class-transformer can quickly grow. We've had our fair share of issues with class-validator and class-transformer. I did try to contribute to class-validator and raised some issues in class-transformer. I think porting this library into the NestJS organization would help the community a lot.
shusson
on 21 Apr 2020
@shusson please, keep in mind we also have limited resources. Nest doesn't have any primary or base sponsor ATM. My work (and other contributors work) is motivated by "giving back to the community" idea (not money). Hence, we have other responsibilities (daily work) which we must take care of. Nest is being used by the biggest corporations in the world right now, but they are not interested in sponsoring our work. If issues mentioned in this post will affect Nest, I'll surely do my best to fork them under this organization as soon as possible. It's not necessary yet though.
kamilmysliwiec
on 21 Apr 2020
@kamilmysliwiec I completely understand, and greatly appreciate Nest. Thanks to you and all the contributors of Nest for your hard work. Unfortunately, the company I work for also has limited resources.
I just wanted to point out that this library is probably being used by the wider Nestjs community a lot more than indicated in your initial response. And that once you start using it, you end up with a pretty big dependency on it. We are in fact, at the moment considering migrating away from class-validator.
shusson
on 21 Apr 2020
Before you migrate, I'd recommend investigating enough time to determine what this particular issue is about and what not to use in order to don't get affected. The migrating away from a specific library because there're no commits does not make any sense and is a waste of time. Similarly, migrating away because there's an issue in functionality that you don't use at all is a waste of time as well. Anyways, it's your (and your company) decision, but if you have limited resources, I'd recommend not spending them on useless migrations.
Just to clarify this once again: as long as you follow Nest documentation and use what's described in the docs, you won't be affected at all. Nest handles this issue on its side and there are no security vulnerabilities.
Let me close this issue since it's getting bloated with posts unrelated to NestJS.
kamilmysliwiec
on 21 Apr 2020
Related issues
JulianBiermann
路
3Comments
hackboy
路
3Comments
KamGor
路
3Comments
FranciZ
路
3Comments
2233322
路
3Comments
Most helpful comment
If the team is not very responsive in their GitHub repository, I doubt that anyone would reply to our direct messages @BrunnerLivio
@sangdth As for this vulnerability, Nest handles this issue internally for several months already so our users shouldn't be affected. https://github.com/nestjs/nest/blob/master/packages/common/pipes/validation.pipe.ts#L159-L165
Side note: the lack of commits doesn't necessarily mean that "project is dead". Most projects used by big enterprises (like Express in Node.js or Laravel in PHP) barely have any new commits at this point. Sometimes it just means that a project is stable and maintainers don't plan to add more features.
We don't heavily depend on this project (in fact, we don't depend on it at all). We recommend using it for 2 features though.
If any other security vulnerabilities arise in the future (which we can't workaround/fix on our side), then I'll consider simply porting this library in the NestJS organization.