Node-sass: NPM Advisory 961 - Denial of Service

It would be nice if details were known...

Getting vulnerability issues for this package

npm audit

=== npm audit security report ===

Low Denial of Service

Package node-sass

Patched in No patch available

Dependency of node-sass [dev]

Path node-sass

More info https://npmjs.com/advisories/961

Since this was closed for not meeting the template, hopefully including this information will allow the conversation to be started:

• NPM version 6.13.4
• Node version v12.14.1
• Node Process { http_parser: '2.8.0', node: '10.18.1', v8: '6.8.275.32-node.55', uv: '1.28.0', zlib: '1.2.11', brotli: '1.0.7', ares: '1.15.0', modules: '64', nghttp2: '1.39.2', napi: '5', openssl: '1.1.1d', icu: '64.2', unicode: '12.1', cldr: '35.1', tz: '2019c' }
• Node Platform linux
• Node architecture x64
• node-sass versions
  node-sass 4.13.0 (Wrapper) [JavaScript]
  libsass 3.5.4 (Sass Compiler) [C/C++]
  npm node-sass versions:

├─┬ @angular-devkit/[email protected]
│ └── [email protected] 
└── [email protected] 

When I run npm audit I get the same security warning as the other users above.
Hopefully that's all the information needed.

From the npmjs page, for completion sake:

Denial of Service
node-sass, low severity

Overview
All versions of node-sass are vulnerable to Denial of Service (DoS). Crafted objects passed to the renderSync function may trigger C++ assertions in CustomImporterBridge::get_importer_entry and CustomImporterBridge::post_process_return_value that crash the Node process. This may allow attackers to crash the system's running Node process and lead to Denial of Service.

Remediation
No fix is currently available. Consider using an alternative package until a fix is made available.

I think what @saper is getting at is that this advisor doesn't link to any CVE, so although it might be fixed in later libsass releases, there is no way of knowing.
Reading the description, unless you're exposing node-sass to the web + letting them provide plug-in settings, this isn't exploitable, hence the "low severity"

NPM website says this was reported by "Alexander Jordan", but with no link to the reporter. Quick googling suggests it may be @alexjordan, a security researcher with Oracle labs. Perhaps Alex will notice this mention and provide some more detail on this vulnerability.

Same warning for me.

found 1 low severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

$ npm audit

                       === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-sass                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-sass                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/961                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 15399 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Will a patch be released? Thank you!

There will be no patch unless the details of the issue will be disclosed to node-sass or libsass team.

We don't know what is wrong. I have no idea what kind of funny vulnerability reporting process is this.

We need a Github issue with details how to reproduce this problem, as for any other issue.

For anyone having CI-related difficulties with this vuln but who intends to keep using node-sass, I recommend npm-audit-resolver:
https://www.npmjs.com/package/npm-audit-resolver

I'm the original reporter. The NPM security team should have disclosed the vulnerability (responsibly) to the maintainers and included its description and steps to reproduce.

@saper let me know whether I should post details here or on a private channel like email.

@alexjordan I tried the new GitHub Security Advisory thing, and invited you to the issue

@alexjordan I tried the new GitHub Security Advisory thing, and invited you to the issue

Thanks. Information provided there.

Thanks for the extra details @alexjordan
It was kind of what I guessed above. Unless you allow your users to pass their own imports, this isn't an issue for your projects.

Update: npm were informed of an possible issue June 2019 ~but failed to inform us before opening the security advisory 6 months later~. We're currently working on a fix.

Update: we have a patch ready to go but require time to prebuild the binaries. We expect to land within ~20hrs. The advisory should hopefully be resolved within 24hrs of that.

This has been resolved in v4.13.1. Now we have to wait for npm to update it's advisory.

It's working! 🎉

Thank you for addressing this issue so quickly!