Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Swarm.js - Arbitrary File Write vulnerability #3399

Closed
shaunazzopardi opened this issue Mar 2, 2020 · 9 comments · Fixed by #3403
Closed

Swarm.js - Arbitrary File Write vulnerability #3399

shaunazzopardi opened this issue Mar 2, 2020 · 9 comments · Fixed by #3403
Assignees
Labels
1.x 1.0 related issues

Comments

@shaunazzopardi
Copy link

Expected behavior

No high vulnerabilities.

Actual behavior

Getting an Arbitrary File Write vulnerability.

Steps to reproduce the behavior

  1. npm install web3
  2. npm audit

Logs

  High            Arbitrary File Write                                          

  Package         decompress                                                    

  Patched in      No patch available                                            

  Dependency of   web3                                                          

  Path            web3 > web3-bzz > swarm-js > decompress                       

  More info       https://npmjs.com/advisories/1217   

Versions

Web3 1.2.6

@cgewecke cgewecke added 1.x 1.0 related issues dependencies labels Mar 3, 2020
@cgewecke
Copy link
Collaborator

cgewecke commented Mar 3, 2020

@shaunazzopardi Thanks for reporting.

It looks like neither swarm-js or decompress are being actively developed, unfortunately.

The underlying issue is being tracked at decompress #76.

@cgewecke
Copy link
Collaborator

cgewecke commented Mar 3, 2020

For near-term maintenance purposes we could fork swarm-js to the web3-js org (or ethereumjs) and move decompress to development dependencies. Believe it's only used in a script to generate archive entries and is incidental to the library methods.

Longer term options include migrating swarm support to the erebos api or just deprecating it altogether.

@evertonfraga
Copy link

evertonfraga commented Mar 3, 2020 via email

@cgewecke
Copy link
Collaborator

cgewecke commented Mar 3, 2020

@evertonfraga Ah that would be great! I saw commits by you but didn't see another publish.

@cgewecke
Copy link
Collaborator

cgewecke commented Mar 4, 2020

@evertonfraga Opened swarm-js 36 for that change.

@evertonfraga
Copy link

I published swarm-js 0.1.40. please check!

@evertonfraga evertonfraga self-assigned this Mar 4, 2020
@cgewecke
Copy link
Collaborator

cgewecke commented Mar 4, 2020

@evertonfraga LGTM!

+ [email protected]
added 169 packages from 119 contributors and audited 356 packages in 18.645s
found 0 vulnerabilities

@evertonfraga
Copy link

That's great :)

if you need anything else in that front, lmk!

@holgerd77 holgerd77 changed the title Arbitrary File Write vulnerability Swarm.js - Arbitrary File Write vulnerability Mar 4, 2020
@holgerd77
Copy link
Collaborator

@cgewecke @evertonfraga Hi guys, greetings from EthCC, you are missed! 🥰 Thanks for keeping up on the real-work-to-be-done-front!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
1.x 1.0 related issues
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants