Swagger-ui: Vulnerability in transitive dependency underscore.string

Created on 2 Feb 2019  Â·  3Comments  Â·  Source: swagger-api/swagger-ui

Using latest version

{
  "name": "test",
  "version": "1.0.0",
  "main": "index.js",
  "license": "MIT",
  "dependencies": {
    "swagger-ui": "^3.20.6"
  }
}

Audit reports

$ yarn audit
yarn audit v1.12.3
+------------------------------------------------------------------------------+
¦ moderate      ¦ Regular Expression Denial of Service                         ¦
+---------------+--------------------------------------------------------------¦
¦ Package       ¦ underscore.string                                            ¦
+---------------+--------------------------------------------------------------¦
¦ Patched in    ¦ >=3.3.5                                                      ¦
+---------------+--------------------------------------------------------------¦
¦ Dependency of ¦ swagger-ui                                                   ¦
+---------------+--------------------------------------------------------------¦
¦ Path          ¦ swagger-ui > remarkable > argparse > underscore.string       ¦
+---------------+--------------------------------------------------------------¦
¦ More info     ¦ https://nodesecurity.io/advisories/745                       ¦
+------------------------------------------------------------------------------+
1 vulnerabilities found - Packages audited: 319
Severity: 1 Moderate
P3 security housekeeping
Source
picture nulltoken

Most helpful comment

@nulltoken, as always thanks for filing an issue!

I'm deprioritizing this based on upstream analysis (that I agree with) that this is not a realistic security concern:

Unless you are planning on attacking yourself by entering a 100k string in the terminal while running the CLI, this is not even remotely a vulnerability or security concern for remarkable.

This means that if you pass a long string (50k characters?), that might look like a date, to the remarkable cli, your experience might be degraded by about 2 seconds.

https://github.com/jonschlinkert/remarkable/pull/312#issuecomment-447430773

Further, for us: argparse is used in Remarkable's CLI, which is not used in Swagger UI at all. There's simply no way that this "vulnerability" could cause problems for us here.

picture shockey on 7 Feb 2019
👍2

All 3 comments

@nulltoken, as always thanks for filing an issue!

I'm deprioritizing this based on upstream analysis (that I agree with) that this is not a realistic security concern:

Unless you are planning on attacking yourself by entering a 100k string in the terminal while running the CLI, this is not even remotely a vulnerability or security concern for remarkable.

This means that if you pass a long string (50k characters?), that might look like a date, to the remarkable cli, your experience might be degraded by about 2 seconds.

https://github.com/jonschlinkert/remarkable/pull/312#issuecomment-447430773

Further, for us: argparse is used in Remarkable's CLI, which is not used in Swagger UI at all. There's simply no way that this "vulnerability" could cause problems for us here.

shockey picture shockey on 7 Feb 2019
👍2

Just FYI, but upstream remarkable closed their issue related to this as of 10 days ago. Not too big of a deal (given the low risk of this vuln), but just wanted to make sure y'all were aware so that hopefully NPM audit can finally be happy again.

https://github.com/jonschlinkert/remarkable/issues/310

Racer159 picture Racer159 on 1 Aug 2019
👍1

Indeed @Racer159, this is resolved, we grabbed the new Remarkable version in https://github.com/swagger-api/swagger-ui/pull/5509.

Closing!

shockey picture shockey on 2 Aug 2019
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

prabhat1790 picture prabhat1790  Â·  3Comments
sgyang picture sgyang  Â·  4Comments
fehguy picture fehguy  Â·  3Comments
deepumi picture deepumi  Â·  3Comments
shockey picture shockey  Â·  3Comments