Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

path-to-regexp npm audit high vulnerable #13955

Closed
7 of 15 tasks
danielehrhardt opened this issue Sep 10, 2024 · 17 comments · Fixed by #13971
Closed
7 of 15 tasks

path-to-regexp npm audit high vulnerable #13955

danielehrhardt opened this issue Sep 10, 2024 · 17 comments · Fixed by #13971
Labels
needs triage This issue has not been looked into

Comments

@danielehrhardt
Copy link

danielehrhardt commented Sep 10, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Current behavior

In express, @nestjs/core, @nestjs/platform-express there is a package used "path-to-regexp" what causes a npm high security vulnerable. For Version 0.1.7 there is a path 0.1.10 but for 3.2.0 there is no patch currently available.
This should be updated.

Minimum reproduction code

pillarjs/path-to-regexp@29b96b4

Steps to reproduce

npm install
npm audit

Expected behavior

no high security vulnerable

Package

  • I don't know. Or some 3rd-party package
  • @nestjs/common
  • @nestjs/core
  • @nestjs/microservices
  • @nestjs/platform-express
  • @nestjs/platform-fastify
  • @nestjs/platform-socket.io
  • @nestjs/platform-ws
  • @nestjs/testing
  • @nestjs/websockets
  • Other (see below)

Other package

No response

NestJS version

10.3.10

Packages versions

latest

Node.js version

20

In which operating systems have you tested?

  • macOS
  • Windows
  • Linux

Other

No response

@danielehrhardt
Copy link
Author

GHSA-9wv6-86v2-598j

@autorejecttop
Copy link

@nestjs/platform-fastify is also affected by this

@autorejecttop
Copy link

autorejecttop commented Sep 10, 2024

I tried reproducing this by:

  1. nest new project-name
  2. npm install @nestjs/microservices @nestjs/platform-fastify @nestjs/platform-socket.io @nestjs/platform-ws @nestjs/testing @nestjs/websockets
  3. npm audit

it looks like affected packages are:

  1. @nestjs/core
  2. @nestjs/microservices
  3. @nestjs/platform-express
  4. @nestjs/platform-fastify
  5. @nestjs/platform-socket.io
  6. @nestjs/platform-ws
  7. @nestjs/testing
  8. @nestjs/websockets

got this output:

# npm audit report

path-to-regexp  <=0.1.9 || 0.2.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install @nestjs/[email protected], which is a breaking change
node_modules/@fastify/middie/node_modules/path-to-regexp
node_modules/express/node_modules/path-to-regexp
node_modules/path-to-regexp
  @fastify/middie  *
  Depends on vulnerable versions of path-to-regexp
  node_modules/@fastify/middie
    @nestjs/platform-fastify  *
    Depends on vulnerable versions of @fastify/middie
    Depends on vulnerable versions of @nestjs/core
    Depends on vulnerable versions of path-to-regexp
    node_modules/@nestjs/platform-fastify
  @nestjs/core  <=2.0.2 || 5.2.0-next - 5.7.4 || >=6.11.0-next.1
  Depends on vulnerable versions of @nestjs/microservices
  Depends on vulnerable versions of @nestjs/platform-express
  Depends on vulnerable versions of @nestjs/websockets
  Depends on vulnerable versions of path-to-regexp
  node_modules/@nestjs/core
    @nestjs/microservices  >=7.0.1
    Depends on vulnerable versions of @nestjs/core
    Depends on vulnerable versions of @nestjs/websockets
    node_modules/@nestjs/microservices
    @nestjs/platform-express  *
    Depends on vulnerable versions of @nestjs/core
    Depends on vulnerable versions of express
    node_modules/@nestjs/platform-express
      @nestjs/testing  >=7.0.1
      Depends on vulnerable versions of @nestjs/core
      Depends on vulnerable versions of @nestjs/microservices
      Depends on vulnerable versions of @nestjs/platform-express
      node_modules/@nestjs/testing
    @nestjs/websockets  >=7.0.1
    Depends on vulnerable versions of @nestjs/core
    Depends on vulnerable versions of @nestjs/platform-socket.io
    node_modules/@nestjs/websockets
      @nestjs/platform-socket.io  >=8.0.0-alpha.1
      Depends on vulnerable versions of @nestjs/websockets
      node_modules/@nestjs/platform-socket.io
      @nestjs/platform-ws  >=8.0.0-alpha.1
      Depends on vulnerable versions of @nestjs/websockets
      node_modules/@nestjs/platform-ws
  express  4.0.0-rc1 - 4.19.2 || 5.0.0-alpha.1 - 5.0.0-beta.3
  Depends on vulnerable versions of path-to-regexp
  node_modules/express

11 high severity vulnerabilities

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

@anukritigarg13
Copy link

@nestjs/swagger is also affected by this

@paskaran
Copy link

When can we expect a fix for this .? Thanks :)

@micalevisk
Copy link
Member

Kamil should address this soon if feasible.

And, as long as you don't have a route that uses the specific path pattern that is mentioned in the vulnerability, you don't need to worry. (btw npm audit: Broken by Design)

@paskaran
Copy link

The problem is audit pipelines failing :D downgrading to 6.10.14 is not an option for us. Hopefully the fix arrives soon :). Thanks

@danielehrhardt
Copy link
Author

#13957

@micalevisk
Copy link
Member

micalevisk commented Sep 10, 2024

I don't think that upgrading path-to-regexp from v3 to v8 is a good short-term solution because we might bring breaking changes (see v6, v7, and others). I guess we need to find a way to let the dev upgrade it on their side instead

@Piet-verdriet
Copy link

@micalevisk I agree :) An issue has been opened for path-to-regexp here
Please bump, hopefully one of the devs can look into patching soon.

@micalevisk
Copy link
Member

micalevisk commented Sep 10, 2024

looks like that the path-to-regexp's team won't backport that fix tho: pillarjs/path-to-regexp#318 (comment)

@DanielSchiavini
Copy link

They shouldn't need to backport, the release 3.2.0 is almost 5 years old! Nest should've upgraded a long time ago.

@micalevisk
Copy link
Member

micalevisk commented Sep 10, 2024

an workaround for NPM v8+ users:

just add the following to your package.json file and remove the lock file

  "overrides": {
    "path-to-regexp": "^8.1"
  }

so now you'll be using the latest version of path-to-regexp

image

Yarn and PNPM has similar solutions

@pnewhook
Copy link

pnewhook commented Sep 10, 2024

@micalevisk That unfortunately doesn't work if you're using code that calls pathToRegexp under the hood, like app.useGlobalPrefix(). Looks like pathToRegexp used to be a default export, but that was changed sometime after.

[Nest] 96096  - 09/10/2024, 11:36:43 AM   ERROR [ExceptionHandler] pathToRegexp is not a function
TypeError: pathToRegexp is not a function
    at /Users/newhop2/dev/aible/hub-api/node_modules/@nestjs/core/middleware/utils.js:22:24
    at Array.map (<anonymous>)
    at mapToExcludeRoute (/Users/newhop2/dev/aible/hub-api/node_modules/@nestjs/core/middleware/utils.js:11:19)
    at NestApplication.setGlobalPrefix (/Users/newhop2/dev/aible/hub-api/node_modules/@nestjs/core/nest-application.js:236:49)
    at /Users/newhop2/dev/aible/hub-api/node_modules/@nestjs/core/nest-factory.js:145:40
    at Function.run (/Users/newhop2/dev/aible/hub-api/node_modules/@nestjs/core/errors/exceptions-zone.js:10:13)
    at Proxy.<anonymous> (/Users/newhop2/dev/aible/hub-api/node_modules/@nestjs/core/nest-factory.js:144:46)
    at Proxy.<anonymous> (/Users/newhop2/dev/aible/hub-api/node_modules/@nestjs/core/nest-factory.js:193:54)
    at bootstrap (/Users/newhop2/dev/aible/hub-api/src/main.ts:12:7)
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
Waiting for the debugger to disconnect...

The problem stems from this code:

  app.setGlobalPrefix('v1', {
    exclude: [
      { path: 'health', method: RequestMethod.ALL },
      { path: 'graphql', method: RequestMethod.ALL },
    ],
  });

@naeramarth7
Copy link

naeramarth7 commented Sep 10, 2024

Looks like pathToRegexp used to be a default export, but that was changed sometime after.

It is now accessible via the exported member pathToRegexp.

However, there's a breaking change in version 8 of path-to-regexp anyways:

  • removing support for RegExp as input. Only strings are supported now.
  • Those strings have a limited syntax. (, ), [ and ] were removed, see Unexpected (, ), [, ], etc.

This will subsequently break the behaviour of e.g. exluding routes in middlewares thus making this breaking change transparent to users of nest as well.

@micalevisk
Copy link
Member

micalevisk commented Sep 10, 2024

thanks

so for those that really don't use path-to-regexp (ie., no regex paths), you can use this patch for @nestjs/core (and express@4, in my case) for now along with #13955 (comment):

you can use https://www.npmjs.com/package/patch-package to apply that

@danielehrhardt
Copy link
Author

pillarjs/path-to-regexp#317 (comment)
3.3.0 published

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs triage This issue has not been looked into
Projects
None yet
Development

Successfully merging a pull request may close this issue.

9 participants