diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 4b7e10430..b35f66cd7 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,11 +1,6 @@
# -- Node.js security ecosystem triage members
# These owners will be automatically assigned to any PRs
# opened for vulnerabilities to be added to the database
-# of the npm community ecosystem
-/vuln/npm/ @nodejs/ecosystem-security
-
-# Currently setting the same ecosystem team to help
-# review any core related PRs as well
/vuln/core/ @mhdawson @rvagg @vdeturckheim @RafaelGSS
# -- Node.js Security WG processes
diff --git a/.github/workflows/update-npm-index.yml b/.github/workflows/update-npm-index.yml
deleted file mode 100644
index 6a3ea2cb0..000000000
--- a/.github/workflows/update-npm-index.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-name: "Update npm index.json"
-on:
- workflow_dispatch:
- push:
- branches:
- - main
- paths:
- - 'vuln/npm/*.json'
- - '!vuln/npm/index.json'
-
-permissions:
- contents: write
- pull-requests: write
-
-jobs:
- stale:
- runs-on: ubuntu-latest
- steps:
- - name: Harden Runner
- uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
- with:
- egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
- - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- with:
- persist-credentials: false
-
- - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
- with:
- node-version: 18
-
- - name: Install deps
- run: npm ci
-
- - name: Update npm index.json
- run: |
- npm run create-npm-index
-
- - name: Create Pull Request
- uses: gr2m/create-or-update-pull-request-action@77596e3166f328b24613f7082ab30bf2d93079d5
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- with:
- commit-message: 'vuln: update npm index.json'
- title: update npm index.json
- body: 'update npm index.json. cc: @nodejs/security-wg'
- assignees: ${{ github.actor }}
- labels: security-wg-agenda
- branch: npm-index-updated
- update-pull-request-title-and-body: true
diff --git a/package.json b/package.json
index 804471099..61afc8ac0 100644
--- a/package.json
+++ b/package.json
@@ -4,7 +4,6 @@
"scripts": {
"test": "node --test",
"validate": "node tools/vuln_valid",
- "create-npm-index": "node tools/create_index/create_npm_index.js",
"create-core-index": "node tools/create_index/create_core_index.js"
},
"keywords": [],
diff --git a/tools/create_index/create_npm_index.js b/tools/create_index/create_npm_index.js
deleted file mode 100644
index 5ccef26c9..000000000
--- a/tools/create_index/create_npm_index.js
+++ /dev/null
@@ -1,5 +0,0 @@
-const generator = require('./index_generator')
-
-const npmVulnerabilitiesPath = './vuln/npm/'
-
-generator(npmVulnerabilitiesPath)
\ No newline at end of file
diff --git a/tools/create_index/index_generator.js b/tools/create_index/index_generator.js
index dc1f29f48..cb906b893 100644
--- a/tools/create_index/index_generator.js
+++ b/tools/create_index/index_generator.js
@@ -52,8 +52,6 @@ const writeIndex = function(data, vulnDirectoryPath) {
if(vulnDirectoryPath === './vuln/core/') {
console.log('Succesfully wrote ' + vulnDirectoryPath + 'index.json for core vulnerabilities.')
- } else if(vulnDirectoryPath === './vuln/npm/') {
- console.log('Succesfully wrote ' + vulnDirectoryPath + 'index.json for npm vulnerabilities.')
}
}
diff --git a/vuln/npm/1.json b/vuln/npm/1.json
deleted file mode 100644
index 07aa1a8ac..000000000
--- a/vuln/npm/1.json
+++ /dev/null
@@ -1,27 +0,0 @@
-{
- "id": 1,
- "created_at": "2015-10-17",
- "updated_at": "2016-04-28",
- "title": "Arbitrary JavaScript Execution",
- "author": {
- "name": "Jarda Kotěšovec",
- "website": null,
- "username": null
- },
- "module_name": "bassmaster",
- "publish_date": "2014-09-27",
- "cves": [
- "CVE-2014-7205"
- ],
- "vulnerable_versions": "<=1.5.1",
- "patched_versions": ">=1.5.2",
- "overview": "A vulnerability exists in bassmaster <= 1.5.1 that allows for an attacker to provide arbitrary JavaScript that is then executed server side via eval.",
- "recommendation": "Update to bassmaster version 1.5.2 or greater.",
- "references": [
- "https://www.npmjs.org/package/bassmaster",
- "https://github.com/hapijs/bassmaster/commit/b751602d8cb7194ee62a61e085069679525138c4"
- ],
- "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
- "cvss_score": 6.5,
- "coordinating_vendor": "^Lift Security"
-}
diff --git a/vuln/npm/10.json b/vuln/npm/10.json
deleted file mode 100644
index 685c0e87f..000000000
--- a/vuln/npm/10.json
+++ /dev/null
@@ -1,27 +0,0 @@
-{
- "id": 10,
- "created_at": "2015-10-17",
- "updated_at": "2016-04-20",
- "title": "Directory Traversal",
- "author": {
- "name": "Vikram Chaitanya",
- "website": null,
- "username": null
- },
- "module_name": "geddy",
- "publish_date": "2015-07-27",
- "cves": [
- "CVE-2015-5688"
- ],
- "vulnerable_versions": "<13.0.8",
- "patched_versions": ">=13.0.8",
- "overview": "Geddy static file serving allows directory traversal with a URI encoded path.\n\n### Example\n```\nhttp://localhost:4000/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd\n\ngeddy is serving the output as it doesn't match the routes and it's a static file\n```",
- "recommendation": "Update to version >= 13.0.8",
- "references": [
- "https://github.com/geddy/geddy/issues/697",
- "https://github.com/geddy/geddy/pull/699"
- ],
- "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
- "cvss_score": 5.3,
- "coordinating_vendor": "^Lift Security"
-}
diff --git a/vuln/npm/100.json b/vuln/npm/100.json
deleted file mode 100644
index 8ec243852..000000000
--- a/vuln/npm/100.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "id": 100,
- "created_at": "2016-04-15",
- "updated_at": "2017-04-14",
- "title": "Regular Expression Denial Of Service",
- "author": {
- "name": "Peter Dotchev",
- "website": null,
- "username": null
- },
- "module_name": "uri-js",
- "publish_date": "2017-04-14",
- "cves": [],
- "vulnerable_versions": "<=2.1.1",
- "patched_versions": ">=3.0.0",
- "overview": "uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100% usage while uri-js is trying to validate if the supplied URL is valid or not. \nTo check if you're vulnerable, look for a call to `require(\"uri-js\").parse()` where a user is able to send their own input.",
- "recommendation": "Upgrade to v3.0.0",
- "references": [
- "https://github.com/garycourt/uri-js/issues/12",
- "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS"
- ],
- "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
- "cvss_score": 7.5,
- "coordinating_vendor": "^Lift Security"
-}
diff --git a/vuln/npm/101.json b/vuln/npm/101.json
deleted file mode 100644
index 831c6e038..000000000
--- a/vuln/npm/101.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "id": 101,
- "created_at": "2016-04-18",
- "updated_at": "2017-01-20",
- "title": "Sanitization bypass using HTML Entities",
- "author": {
- "name": "Matt Austin",
- "website": null,
- "username": null
- },
- "module_name": "marked",
- "publish_date": "2016-04-18",
- "cves": [],
- "vulnerable_versions": "<=0.3.5",
- "patched_versions": ">=0.3.6",
- "overview": "marked is an application that is meant to parse and compile markdown.\n\nDue to the way that marked parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL.\n\nThis flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left. \n\nFor example:\n\nIf a malicious user could provide this input to the application `javascript֍ocument;alert(1)` resulting in a valid link, that when a user clicked it would execute `alert(1)`.",
- "recommendation": "Upgrade to version 0.3.6 or greater.",
- "references": [
- "https://github.com/chjj/marked/pull/592",
- "https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523"
- ],
- "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
- "cvss_score": 5.3,
- "coordinating_vendor": "^Lift Security"
-}
diff --git a/vuln/npm/102.json b/vuln/npm/102.json
deleted file mode 100644
index 1b213c192..000000000
--- a/vuln/npm/102.json
+++ /dev/null
@@ -1,24 +0,0 @@
-{
- "id": 102,
- "created_at": "2016-04-18",
- "updated_at": "2016-10-31",
- "title": "Improper Escaping of Bound Arrays",
- "author": {
- "name": "Leibale Eidelman",
- "website": null,
- "username": null
- },
- "module_name": "sequelize",
- "publish_date": "2016-10-31",
- "cves": [],
- "vulnerable_versions": "<=3.19.3",
- "patched_versions": ">=3.20.0",
- "overview": "sequalize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS\n\nIn Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped.\n\nThis causes potential SQL injection, where a malicious user could put `[\"test\", \"'); DELETE TestTable WHERE Id = 1 --')\"]` inside of\n```\ndatabase.query('SELECT * FROM TestTable WHERE Name IN (:names)', {\n replacements: {\n names: directCopyOfUserInput\n }\n});\n``` and cause the SQL statement to become `SELECT Id FROM Table WHERE Name IN ('test', '\\'); DELETE TestTable WHERE Id = 1 --')`. \n\nIn Postgres, MSSQL, and SQLite, the backslash has no special meaning. This causes the the statement to delete whichever Id has a value of 1 in the TestTable table.",
- "recommendation": "Upgrade to sequelize version 3.20.0 or greater",
- "references": [
- "https://github.com/sequelize/sequelize/issues/5671"
- ],
- "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
- "cvss_score": 4.8,
- "coordinating_vendor": "^Lift Security"
-}
diff --git a/vuln/npm/104.json b/vuln/npm/104.json
deleted file mode 100644
index 64f9ae340..000000000
--- a/vuln/npm/104.json
+++ /dev/null
@@ -1,24 +0,0 @@
-{
- "id": 104,
- "created_at": "2016-04-21",
- "updated_at": "2016-06-22",
- "title": "SSL Validation Defaults to False",
- "author": {
- "name": "Mark Lee",
- "website": null,
- "username": null
- },
- "module_name": "electron-packager",
- "publish_date": "2016-04-22",
- "cves": [],
- "vulnerable_versions": ">= 5.2.1 <= 6.0.0 || >=6.0.0 <= 6.0.2",
- "patched_versions": ">= 7.0.0",
- "overview": "- electron-packager is a command line tool that packages Electron source code into `.app` and `.exe` packages. along with Electron.\n- The `--strict-ssl` command line option defaults to false if not explicitly set to true\n\nThis could allow an attacker to Man In The Middle (MITM) the step where electron-packager does the following step: \"Download all supported target platforms and arches of Electron using the installed electron-prebuilt version (and cache the downloads in ~/.electron)\" effecting the integrity of the package and the cached downloads in ~/.electron.\n\nThis only affects users using the electron-packager CLI. The strict-ssl option defaults to true for the node.js API.",
- "recommendation": "Upgrade to at least version 7.0.0\n\nIt's also recommended to delete the electron-download cache folder, by default named .electron, and located in your home folder. For example:\n\n```\nrm -rf ~/.electron\n```",
- "references": [
- "https://github.com/electron-userland/electron-packager/issues/333"
- ],
- "cvss_vector": "CVSS:3.0/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
- "cvss_score": 3.1,
- "coordinating_vendor": "^Lift Security"
-}
diff --git a/vuln/npm/106.json b/vuln/npm/106.json
deleted file mode 100644
index 06c3a04e3..000000000
--- a/vuln/npm/106.json
+++ /dev/null
@@ -1,24 +0,0 @@
-{
- "id": 106,
- "created_at": "2016-05-04",
- "updated_at": "2016-06-16",
- "title": "Regular Expression Denial of Service",
- "author": {
- "name": "Adam Baldwin",
- "website": null,
- "username": null
- },
- "module_name": "negotiator",
- "publish_date": "2016-06-16",
- "cves": [],
- "vulnerable_versions": "<= 0.6.0",
- "patched_versions": ">= 0.6.1",
- "overview": "negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa.\n\nThe header for \"Accept-Language\", when parsed by negotiator is vulnerable to Regular Expression Denial of Service via a specially crafted string. \n\nTimeline\n\n- April 29th 2016 - Initial report to maintainers\n- April 29th 2016 - Confirm receipt from maintainers\n- May 1st 2016 - Fix confirmed\n- May 5th 2016 - 0.6.1 published with fix\n- June 16th 2016 - Advisory published (delay was to coordinate fixes in upstream frameworks, Koa and Express)",
- "recommendation": "Upgrade to at least version 0.6.1\n\nExpress users should update to Express 4.14.0 or greater. If you want to see if you are using a vulnerable call, a quick grep for the `acceptsLanguages` function call in your application will tell you if you are using this functionality.",
- "references": [
- "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS"
- ],
- "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
- "cvss_score": 7.5,
- "coordinating_vendor": "^Lift Security"
-}
diff --git a/vuln/npm/107.json b/vuln/npm/107.json
deleted file mode 100644
index 0317d351b..000000000
--- a/vuln/npm/107.json
+++ /dev/null
@@ -1,26 +0,0 @@
-{
- "id": 107,
- "created_at": "2016-05-05",
- "updated_at": "2016-06-27",
- "title": "Cross Site Scripting",
- "author": {
- "name": "Unknown",
- "website": null,
- "username": null
- },
- "module_name": "dojo",
- "publish_date": "2016-05-23",
- "cves": [
- "CVE-2008-6681"
- ],
- "vulnerable_versions": "<= 1.0",
- "patched_versions": ">= 1.1",
- "overview": "dojo is the core module for the Dojo Toolkit. The dojo package covers a wide range of functionality like AJAX, DOM manipulation, class-type programming, events, promises, data stores, drag-and-drop and internationalization libraries.\n\nThere is a bug in the `dijit.Editor` and `textarea` where input, even sanitized, executes javascript. This is because the `!';\nvar clean = sanitizeHtml(dirty, {\n allowedTags: [ 'textarea' ]\n});\n\nconsole.log(clean);\n\n// !