-
Notifications
You must be signed in to change notification settings - Fork 342
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GHSA-2p57-rm9w-gvfp] ip SSRF improper categorization in isPublic #4619
[GHSA-2p57-rm9w-gvfp] ip SSRF improper categorization in isPublic #4619
Conversation
Hi @ThisIsMissEm, could you provide a link to the fix in 2.0.1? The original vulnerability report says that 2.0.1 is affected. |
I'm trying to sort of what the vulnerability is here; it seems there was And since isPublic is just a negation on isPrivate, then it should also be fixed: https://github.com/indutny/node-ip/blob/3b0994a74eca51df01f08c40d6a65ba0e1845d04/lib/ip.js#L336 The isPrivate method uses the normalizeToLong method, so it should guard against input like I think this "vulnerability" is actually just that If you want to validate whether a value is an IP address or not, then there are methods in Node.js for that: https://nodejs.org/docs/latest-v20.x/api/net.html#netisipinput |
Also, the original vulnerability report claims the package isn't maintained, it now is again. The project was temporarily archived. |
Hi @ThisIsMissEm , this has come up on the security scanners in my org. What is the next step to move this PR forward, this PR doesnt have any reviewers, could we get a GHSA security analyst to review this? I am new to this and only documentation I could find is that - "Pull requests will be reviewed and either merged or closed by our internal security advisory curation team." |
I don't know. I have actually proposed to @indutny to remove the isPublic method entirely, since a negation of isPrivate is not "is public", it's "is not ip or is public" i know he's incredibly busy though, so may not have had time to do that change. I don't think indutny/node-ip#144 is the way forwards here. |
@rejuls but also, just look at how you uses the ip package, and check that you're using isPrivate, and then you should be able to marl the vulnerability as "code path not used" |
My understanding is that MITRE chose to assign a separate CVE ID because 2.0.1 fixed some but not all of the possible problematic scenarios. CVE-2024-29415 is meant to track the other scenarios. If you think CVE-2024-29415 needs clarifying, I suggest you contact MITRE so that the update will affect everyone relying on the CVE, rather than just the GitHub database. |
It should be clear as the CVE description explicitly states that "this issue exists because of an incomplete fix for CVE-2023-42282".
Unarchived does not mean it is maintained again. You should take a look at the commit history, the issues, and the pull requests. The author does not push new commits, reply to any issues, or review any pull requests. |
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |
9666d7e
into
ThisIsMissEm/advisory-improvement-4619
Hi @ThisIsMissEm! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
As far as I can tell, the package author has written a fix for this advisory and published it as version 2.0.1