Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-2p57-rm9w-gvfp] ip SSRF improper categorization in isPublic #4619

Conversation

ThisIsMissEm
Copy link

Updates

  • Affected products

Comments
As far as I can tell, the package author has written a fix for this advisory and published it as version 2.0.1

@github-actions github-actions bot changed the base branch from main to ThisIsMissEm/advisory-improvement-4619 July 18, 2024 17:31
@JonathanLEvans
Copy link

Hi @ThisIsMissEm, could you provide a link to the fix in 2.0.1? The original vulnerability report says that 2.0.1 is affected.

@ThisIsMissEm
Copy link
Author

I'm trying to sort of what the vulnerability is here; it seems there was CVE-2023-42282 described in GHSA-78xj-cgh5-2h22 which has been fixed in 2.0.1: indutny/node-ip@v2.0.0...v2.0.1

And since isPublic is just a negation on isPrivate, then it should also be fixed: https://github.com/indutny/node-ip/blob/3b0994a74eca51df01f08c40d6a65ba0e1845d04/lib/ip.js#L336

The isPrivate method uses the normalizeToLong method, so it should guard against input like 127.1

I think this "vulnerability" is actually just that isPublic doesn't make any assertions about the input being a valid IP address; it's simply a negation of isPrivate — it's not actually validating the input "is a publicly accessible IP address" it is simply saying the input is not a private IP address.

If you want to validate whether a value is an IP address or not, then there are methods in Node.js for that: https://nodejs.org/docs/latest-v20.x/api/net.html#netisipinput

@ThisIsMissEm
Copy link
Author

Also, the original vulnerability report claims the package isn't maintained, it now is again. The project was temporarily archived.

@rejuls
Copy link

rejuls commented Jul 25, 2024

Hi @ThisIsMissEm , this has come up on the security scanners in my org. What is the next step to move this PR forward, this PR doesnt have any reviewers, could we get a GHSA security analyst to review this? I am new to this and only documentation I could find is that -

"Pull requests will be reviewed and either merged or closed by our internal security advisory curation team."

@ThisIsMissEm
Copy link
Author

I don't know. I have actually proposed to @indutny to remove the isPublic method entirely, since a negation of isPrivate is not "is public", it's "is not ip or is public"

i know he's incredibly busy though, so may not have had time to do that change. I don't think indutny/node-ip#144 is the way forwards here.

@ThisIsMissEm
Copy link
Author

@rejuls but also, just look at how you uses the ip package, and check that you're using isPrivate, and then you should be able to marl the vulnerability as "code path not used"

@JonathanLEvans
Copy link

My understanding is that MITRE chose to assign a separate CVE ID because 2.0.1 fixed some but not all of the possible problematic scenarios. CVE-2024-29415 is meant to track the other scenarios. If you think CVE-2024-29415 needs clarifying, I suggest you contact MITRE so that the update will affect everyone relying on the CVE, rather than just the GitHub database.

@ouuan
Copy link

ouuan commented Jul 30, 2024

I'm trying to sort of what the vulnerability is here; it seems there was CVE-2023-42282 described in GHSA-78xj-cgh5-2h22 which has been fixed in 2.0.1: indutny/[email protected]

My understanding is that MITRE chose to assign a separate CVE ID because 2.0.1 fixed some but not all of the possible problematic scenarios. CVE-2024-29415 is meant to track the other scenarios. If you think CVE-2024-29415 needs clarifying, I suggest you contact MITRE so that the update will affect everyone relying on the CVE, rather than just the GitHub database.

It should be clear as the CVE description explicitly states that "this issue exists because of an incomplete fix for CVE-2023-42282".

Also, the original vulnerability report claims the package isn't maintained, it now is again. The project was temporarily archived.

Unarchived does not mean it is maintained again. You should take a look at the commit history, the issues, and the pull requests. The author does not push new commits, reply to any issues, or review any pull requests.

Copy link

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

@github-actions github-actions bot added the Stale label Aug 27, 2024
@advisory-database advisory-database bot merged commit 9666d7e into ThisIsMissEm/advisory-improvement-4619 Sep 3, 2024
2 checks passed
@advisory-database
Copy link
Contributor

Hi @ThisIsMissEm! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants