Node-sass: [Security] Vulnerability in `tar`
Do not open a PR. We appreciate the enthusiasm but the fix is more complicated than it appears. We're considering our options.
See https://www.npmjs.com/advisories/803
Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.
Caused by node-gyp. I guess this depends on https://github.com/nodejs/node-gyp/issues/1714 being fixed first. As far as I can tell, to fix this node-sass needs to to upgrade to [email protected] once they've resolved the issue on their part.
Output from yarn audit:
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β high β Arbitrary File Overwrite β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Package β tar β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Patched in β >=4.4.2 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Dependency of β node-sass β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β node-sass > node-gyp > tar β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More info β https://nodesecurity.io/advisories/803 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1 vulnerabilities found - Packages audited: 16503
Severity: 1 High
asbjornh
All 40 comments
Dealing with the same issue. Tried npm update node-sass --depth 999, npm i tar --save, and npm update tar --depth 999. none of that helped updating tar for node-sass
mohsenari
on 11 Apr 2019
Anyone who's looking for a temporary workaround until this gets fixed, I managed to update tar version using izogfif's answer here: https://stackoverflow.com/questions/15806152/how-do-i-override-nested-npm-dependency-versions
You need to remove tar from required section in node-gyp in package-lock.json
Then replace the version in the dependencies section in the same place and remove resolved and integrity properties from tar in dependencies:
"node-gyp": {
"version": "3.8.0",
"resolved": "https://registry.npmjs.org/node-gyp/-/node-gyp-3.8.0.tgz",
"integrity": "sha512-3g8l...",
"requires": {
"fstream": "^1.0.0",
"glob": "^7.0.3",
"graceful-fs": "^4.1.2",
"mkdirp": "^0.5.0",
"nopt": "2 || 3",
"npmlog": "0 || 1 || 2 || 3 || 4",
"osenv": "0",
"request": "^2.87.0",
"rimraf": "2",
"semver": "~5.3.0",
"which": "1"
},
"dependencies": {
"semver": {
"version": "5.3.0",
"resolved": "https://registry.npmjs.org/semver/-/semver-5.3.0.tgz",
"integrity": "sha1-myzl..."
},
"tar": {
"version": "^4.4.2"
}
}
},
Then delete your node_modules and run npm i
Test it with npm audit
mohsenari
on 11 Apr 2019
node-gyp updated it's tar version to the latest in this commit a few minutes ago, expecting a release soon:
https://github.com/nodejs/node-gyp/commit/1456ef27c72cc4e49f9b1d82cbb047cb673156c8
meszaros-lajos-gyorgy
on 11 Apr 2019
Same issue for me although I have the 4.4.8 version:
$ npm show tar version
4.4.8
angelocapone
on 12 Apr 2019
Same here waiting for a proper fix :)
thealiano
on 12 Apr 2019
Having same issue, waiting for a fix too :)
current tar version: 4.4.8
JarriddW
on 12 Apr 2019
Same issue for me although I have the 4.4.8 version:
$ npm show tar version
4.4.8
You might have several transitive dependencies on multiple versions of tar :)
asbjornh
on 12 Apr 2019
Thank you AsbjΓΈrn!
Yeah, looks like I have an "extraneous" 2.2.1 tar version:
$ npm ls tar
[email protected] X:\projects\cartclient
+-- [email protected]
| -- [email protected]
|-- UNMET DEPENDENCY tar@^4.4.5
+-- [email protected]
| -- @nuxt/[email protected]
|-- [email protected]
| -- UNMET OPTIONAL DEPENDENCY [email protected]
|-- UNMET OPTIONAL DEPENDENCY [email protected]
| -- UNMET OPTIONAL DEPENDENCY [email protected]
-- [email protected] extraneous
npm ERR! extraneous: [email protected] X:\projects\cartclient\node_modulestar
npm ERR! missing: tar@^4.4.5, required by [email protected]
angelocapone
on 12 Apr 2019
I'm unsure how many vulnerabilities all of you would have started with, this morning I had 4.
After running npm audit fix, 3/4 of them were fixed with just tar still giving problems.
I can however build and run my apps again for anyone with a similar case.
JarriddW
on 12 Apr 2019
Updating the package-lock.json to all use "tar": "4.4.8" worked for me
HarisSpahija
on 12 Apr 2019
Updating the package-lock.json to all use
"tar": "4.4.8"worked for me
did you manage to run an audit with no vulnerabilities?
JarriddW
on 12 Apr 2019
package-lock.json
"version": "2.2.1",
"resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",
"integrity": "sha1-jk0qJWwOIYXGsYrWlK7JaLg8sdE=",
β
"version": "4.4.8",
"resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
"integrity": "sha512-LzHF64s5chPQQS0IYBn9IN5h3i98c12bo4NCO7e0sGM2llXQ3p2FGC5sdENN4cTW48O915Sh+x+EXx7XW96xYQ==",
β
rm -fr node_modules
β
npm i
β
npm audit
β
=== npm audit security report ===
found 0 vulnerabilities
in 42617 scanned packages
osushi-desushi
on 12 Apr 2019
@osushi-desushi Your solution has worked, no vulnerabilities. Thanks a ton!
JarriddW
on 12 Apr 2019
@JarriddW
Thanks for watching!!
osushi-desushi
on 12 Apr 2019
node-gyp got stuck with their part in updating, since they used tar@3 in their repo and upgrading to 4 broke their code: https://github.com/nodejs/node-gyp/pull/1713#issuecomment-482275511
meszaros-lajos-gyorgy
on 12 Apr 2019
Watch this space:
https://github.com/nodejs/node-gyp/pull/1718
Once node-gyp 3.8.1 comes out, node-sass can update the dependency.
clshortfuse
on 12 Apr 2019
Anybody who can summarize the steps to follow??
johnDowee
on 12 Apr 2019
Not sure what to do?
prathusingh
on 13 Apr 2019
Just a warning by manually installing tar to the new version to solve the vulnerability, you're breaking node-gyp since it currently only supports tar v2. I don't believe node-sass is using tar installs, but if anything else in your package does, you're going to have issues.
This is the commit that will fix node-gyp to support v4, which would allow the vulnerability to be fixed:
https://github.com/nodejs/node-gyp/commit/6e1e425ffb#diff-f6618e1cc731d58106a806b7679a7616R170
clshortfuse
on 13 Apr 2019
Unfortunately with the CI pipeline I work with, I'm not able to manually change package-lock.json because it is built on the fly and compared with the committed version. If there's a mismatch things break. Would appreciate a release to fix this if possible.
lenymo
on 15 Apr 2019
If node-gyp releases a 3.8.1 (or 3.9) there will be no need for a node-sass release as that is in the version range in the package.json already.
Tar is used by node-gyp to download headers for compiling binaries, so this is only an issue if someone gets a malicious tarball on the official nodejs release site and you aren't using our pre-built binaries.
nschonni
on 15 Apr 2019
Still very unsure which steps to take. Should I do the manual tar update like @mohsenari mentioned? OR what?
Also how temporary is this fix? π
Also if what @clshortfuse is saying is true, is this a smart move at all?
Please help.
C-odes
on 15 Apr 2019
@C-odes
package-lock.json
"version": "2.2.1", "resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz", "integrity": "sha1-jk0qJWwOIYXGsYrWlK7JaLg8sdE=",β
"version": "4.4.8", "resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz", "integrity": "sha512-LzHF64s5chPQQS0IYBn9IN5h3i98c12bo4NCO7e0sGM2llXQ3p2FGC5sdENN4cTW48O915Sh+x+EXx7XW96xYQ==",β
rm -fr node_modules
β
npm i
HarisSpahija
on 15 Apr 2019
package-lock.json
"version": "2.2.1", "resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz", "integrity": "sha1-jk0qJWwOIYXGsYrWlK7JaLg8sdE=",β
"version": "4.4.8", "resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz", "integrity": "sha512-LzHF64s5chPQQS0IYBn9IN5h3i98c12bo4NCO7e0sGM2llXQ3p2FGC5sdENN4cTW48O915Sh+x+EXx7XW96xYQ==",β
rm -fr node_modules
β
npm i
β
npm audit
β=== npm audit security report === found 0 vulnerabilities in 42617 scanned packages
Not working for me. Every time when I use npm i all changes in package-lock.json are rolling back to the previous version 2.2.1
invisor
on 15 Apr 2019
Do you have any other packages that use tar? @invisor
HarisSpahija
on 15 Apr 2019
@HarisSpahija yes, but this package is using tar with version 4.4.8
invisor
on 15 Apr 2019
I did it, but while waiting for npm i to finish, I notice that fsevents uses tar version 4.4.1 . Is this an issue?
C-odes
on 15 Apr 2019
Ok, same thing here. I changed all
tar: {
"version": "2.2.1",
"resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",
"integrity": "sha1-jk0qJWwOIYXGsYrWlK7JaLg8sdE=",
to the :
"version": "4.4.8",
"resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
"integrity": "sha512-LzHF64s5chPQQS0IYBn9IN5h3i98c12bo4NCO7e0sGM2llXQ3p2FGC5sdENN4cTW48O915Sh+x+EXx7XW96xYQ==",
β
But the node-gyp dependency rolls back its tar version to 2.2.0 after npm install
C-odes
on 15 Apr 2019
"node-gyp": {
"version": "3.8.0",
"resolved": "https://registry.npmjs.org/node-gyp/-/node-gyp-3.8.0.tgz",
"integrity": "sha512-3g8lYefrRRzvGeSowdJKAKyks8oUpLEd/DyPV4eMhVlhJ0aNaZqIrNUIPuEWWTAoPqyFkfGrM67MC69baqn6vA==",
"requires": {
"fstream": "^1.0.0",
"glob": "^7.0.3",
"graceful-fs": "^4.1.2",
"mkdirp": "^0.5.0",
"nopt": "2 || 3",
"npmlog": "0 || 1 || 2 || 3 || 4",
"osenv": "0",
"request": "^2.87.0",
"rimraf": "2",
"semver": "~5.3.0",
"tar": "^2.0.0",
"which": "1"
},
"dependencies": {
"nopt": {
"version": "3.0.6",
"resolved": "https://registry.npmjs.org/nopt/-/nopt-3.0.6.tgz",
"integrity": "sha1-xkZdvwirzU2zWTF/eaxopkayj/k=",
"requires": {
"abbrev": "1"
}
},
"semver": {
"version": "5.3.0",
"resolved": "https://registry.npmjs.org/semver/-/semver-5.3.0.tgz",
"integrity": "sha1-myzl094C0XxgEq0yaqa00M9U+U8="
},
"tar": {
"version": "2.2.1",
"resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",
"integrity": "sha1-jk0qJWwOIYXGsYrWlK7JaLg8sdE=",
"requires": {
"block-stream": "*",
"fstream": "^1.0.2",
"inherits": "2"
}
}
}
},
see that? It rolled back to 2.2.1 * :(
C-odes
on 15 Apr 2019
@C-odes I have the same behavior
invisor
on 15 Apr 2019
I see it I think! Look at the "Required" section under node-gyp. IT says tar: "^2.0.0" . Change this.
C-odes
on 15 Apr 2019
@C-odes nice catch! Now it works
invisor
on 15 Apr 2019
Hmmmmm one vulnerability removed, but still one remains. I checked it, seems I keep finding tar": "^2.0.0"..
But I changed it... is it rolling back somehow? The only one that kept going back to "^2.0.0" is in the required field:
"node-gyp": {
"version": "3.8.0",
"resolved": "https://registry.npmjs.org/node-gyp/-/node-gyp-3.8.0.tgz",
"integrity": "sha512-3g8lYefrRRzvGeSowdJKAKyks8oUpLEd/DyPV4eMhVlhJ0aNaZqIrNUIPuEWWTAoPqyFkfGrM67MC69baqn6vA==",
"requires": {
"fstream": "^1.0.0",
"glob": "^7.0.3",
"graceful-fs": "^4.1.2",
"mkdirp": "^0.5.0",
"nopt": "2 || 3",
"npmlog": "0 || 1 || 2 || 3 || 4",
"osenv": "0",
"request": "^2.87.0",
"rimraf": "2",
"semver": "~5.3.0",
"tar": "^4.0.0",
"which": "1"
},
"dependencies": {
"nopt": {
"version": "3.0.6",
"resolved": "https://registry.npmjs.org/nopt/-/nopt-3.0.6.tgz",
"integrity": "sha1-xkZdvwirzU2zWTF/eaxopkayj/k=",
"requires": {
"abbrev": "1"
}
},
"semver": {
"version": "5.3.0",
"resolved": "https://registry.npmjs.org/semver/-/semver-5.3.0.tgz",
"integrity": "sha1-myzl094C0XxgEq0yaqa00M9U+U8="
},
"tar": {
"version": "4.4.8",
"resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
"integrity": "sha512-LzHF64s5chPQQS0IYBn9IN5h3i98c12bo4NCO7e0sGM2llXQ3p2FGC5sdENN4cTW48O915Sh+x+EXx7XW96xYQ==",
"requires": {
"chownr": "^1.1.1",
"fs-minipass": "^1.2.5",
"minipass": "^2.3.4",
"minizlib": "^1.1.1",
"mkdirp": "^0.5.0",
"safe-buffer": "^5.1.2"
}
}
}
}
changed it back to "^4.0.0" . gona delete node_modules and npm i AGAIN. Weird..
C-odes
on 15 Apr 2019
Update: it keeps resetting to 2.0.0... why? There's no other place with tar varsion 2.0.0
C-odes
on 15 Apr 2019
Locking the thread, since this is going off topic
nschonni
on 15 Apr 2019
For those following along. There's a lot of moving pieces that slowing down resolving this issue.
As stated my @meszaros-lajos-gyorgy in https://github.com/sass/node-sass/issues/2625#issuecomment-482579888 the node-gyp are currently blocked from creating a patch because they're using an older version of node-tar to maintain support for older Node versions. Updating node-tar to address this vulnerability would mean breaking support for older versions on Node.
There is a good summary of the node-gyp issue in https://github.com/nodejs/node-gyp/pull/1718#issuecomment-485450313.
The ideal solution would be to patch the version of node-tar being used by node-gyp. There's an issue tracking that request at https://github.com/npm/node-tar/issues/212.
xzyfer
on 23 Apr 2019
Please stop opening PRs. We know node-gyp has a new release. That's not enough for our needs. We appreciate the enthusiasm and we're considering our options.
xzyfer
on 24 Apr 2019
A new version of [email protected] has been released with the security patch back ported from 3.x. the security advisory will be updated in the next 24hrs at which npm audit --fix will pass.
https://github.com/npm/node-tar/issues/212#issuecomment-492463507
xzyfer
on 15 May 2019
Advisory has been updated and npm audit fix should work again
nschonni
on 15 May 2019
Related issues
NathanKleekamp
Β·
4Comments
liuyuqiang
Β·
3Comments
cjo2118
Β·
3Comments
tjistooshort
Β·
4Comments
YepFury
Β·
4Comments
Most helpful comment
Anyone who's looking for a temporary workaround until this gets fixed, I managed to update
tarversion using izogfif's answer here: https://stackoverflow.com/questions/15806152/how-do-i-override-nested-npm-dependency-versionsYou need to remove
tarfromrequiredsection innode-gypin package-lock.jsonThen replace the version in the
dependenciessection in the same place and removeresolvedandintegrityproperties fromtarindependencies:Then delete your node_modules and run
npm iTest it with
npm audit