Web3.js: Swarm.js - Arbitrary File Write vulnerability

Created on 2 Mar 2020  Â·  9Comments  Â·  Source: ChainSafe/web3.js

Expected behavior

No high vulnerabilities.

Actual behavior

Getting an _Arbitrary File Write_ vulnerability.

Steps to reproduce the behavior

  1. npm install web3
  2. npm audit

Logs

  High            Arbitrary File Write                                          

  Package         decompress                                                    

  Patched in      No patch available                                            

  Dependency of   web3                                                          

  Path            web3 > web3-bzz > swarm-js > decompress                       

  More info       https://npmjs.com/advisories/1217

Versions

Web3 1.2.6

1.x dependencies
Source
picture shaunazzopardi
👍2

Most helpful comment

@cgewecke @evertonfraga Hi guys, greetings from EthCC, you are missed! 🥰 Thanks for keeping up on the real-work-to-be-done-front!

picture holgerd77 on 4 Mar 2020
1 😄1

All 9 comments

@shaunazzopardi Thanks for reporting.

It looks like neither swarm-js or decompress are being actively developed, unfortunately.

The underlying issue is being tracked at decompress #76.

cgewecke picture cgewecke on 3 Mar 2020

For near-term maintenance purposes we could fork swarm-js to the web3-js org (or ethereumjs) and move decompress to development dependencies. Believe it's only used in a script to generate archive entries and is incidental to the library methods.

Longer term options include migrating swarm support to the erebos api or just deprecating it altogether.

cgewecke picture cgewecke on 3 Mar 2020

I probably still have push access to the repo and can get npm permissions.

Want me to perform those changes at swarm-js then?

On Tue, Mar 3, 2020 at 2:37 PM cgewecke notifications@github.com wrote:

For near-term maintenance purposes we could fork swarm-js to the web3-js
org (or ethereumjs) and move decompress to development dependencies.
Believe it's only used in a script to generate archive entries
https://github.com/MaiaVictor/swarm-js/blob/master/scripts/prepareArchives.js
and is incidental to the library methods.

Longer term options include migrating swarm support to the erebos api
https://github.com/MainframeHQ/erebos or just deprecating it altogether.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/ethereum/web3.js/issues/3399?email_source=notifications&email_token=AAALQBCMVW3HAANJ7UBUDWDRFVL6FA5CNFSM4K7NSI32YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENU3G4Q#issuecomment-594129778,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAALQBBHFJFQADSL7VL2WZDRFVL6FANCNFSM4K7NSI3Q
.

evertonfraga picture evertonfraga on 3 Mar 2020
👍1

@evertonfraga Ah that would be great! I saw commits by you but didn't see another publish.

cgewecke picture cgewecke on 3 Mar 2020

@evertonfraga Opened swarm-js 36 for that change.

cgewecke picture cgewecke on 4 Mar 2020

I published swarm-js 0.1.40. please check!

evertonfraga picture evertonfraga on 4 Mar 2020
👍1

@evertonfraga LGTM!

+ [email protected]
added 169 packages from 119 contributors and audited 356 packages in 18.645s
found 0 vulnerabilities
cgewecke picture cgewecke on 4 Mar 2020
👍1

That's great :)

if you need anything else in that front, lmk!

evertonfraga picture evertonfraga on 4 Mar 2020
👍1

@cgewecke @evertonfraga Hi guys, greetings from EthCC, you are missed! 🥰 Thanks for keeping up on the real-work-to-be-done-front!

holgerd77 picture holgerd77 on 4 Mar 2020
1 😄1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

baxy picture baxy  Â·  3Comments
imthatcarlos picture imthatcarlos  Â·  3Comments
SCBuergel picture SCBuergel  Â·  3Comments
ragnu picture ragnu  Â·  3Comments
FradSer picture FradSer  Â·  3Comments