Minor security issues in `expo/xdl`

bycedric · May 19, 2018, 2:34pm

Hi there!

We are getting reports in our pipeline and local development machines of two minor/moderate security issues caused by the hoek library, nodesecurity.io - nodesecurity Resources and Information.. Below I’ve added the exact report of both issues. I see that the affected hoek library is included by an older joi version, which is then included by Expo’s xdl library. The full dependency chain is this:

<our-project>
└─┬ exp@54.0.0
  └─┬ xdl@50.0.0
    └─┬ joi@10.6.0
      └── hoek@4.2.1

Because npm@6 is now shipped with a build in security check on every install, and of course the newly added npm audit script, it’s maybe a good idea to try and resolve this issue? As far as I can tell, this is fixable by upgrading Expo’s xdl dependency of joi to ^13. In this version the patched hoek@>5 version is referenced (https://github.com/hapijs/joi/blob/v13.0.0/package.json).

I can make a PR for xdl if it helps. I’m not sure what this upgrade means regarding breaking changes. Luckily the devs of joi do have a clear changelog using their github issues. Unfortunately I can’t mention them because of the url limit here. But you can see them by listing all issues with the release notes label.

Let me know if I can do anything to help!

Cheers!
Cedric

The actual report output

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-native-scripts [dev]                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-native-scripts > xdl > jsonwebtoken > joi > hoek       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-native-scripts [dev]                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-native-scripts > xdl > jsonwebtoken > joi > topo >     │
│               │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

bycedric · May 19, 2018, 2:38pm

Ah, I’ve got clearance on the links

Here are the release notes of Joi:

13.0.0 (https://github.com/hapijs/joi/issues/1328)
12.0.0 (https://github.com/hapijs/joi/issues/1326)
11.0.0 (https://github.com/hapijs/joi/issues/1302)

quinlanj · May 22, 2018, 12:51am

hi @bycedric, if you could make a pr for this, that would be helpful. thanks!

bycedric · May 22, 2018, 8:41am

Sure! I will create one after working hours, around ±18:00 (CEST).

bycedric · May 22, 2018, 7:19pm

Hi @quinlanj!

I guess I owe you an apology, I accidentally mixed up Expo’s xdl and its actual cause, react-native-scripts. I see that the exact error originated from jsonwebtoken, which was included in xdl. Luckily this has been resolved already in xdl, but react-native-scripts actually uses an older/outdated version of xdl what caused our pipeline to raise the issues.

So it is not the xdl, but the create-react-native-app repo which should be fixed. That’s why I created and issue and PR to still have this fixed, https://github.com/react-community/create-react-native-app/issues/663.

Still, I’m sorry for incorrectly flagging this! You can resolve this forum discussion I think.

Have a great day!

Cheers,
Cedric

system · June 6, 2018, 7:19pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
I think i found some problems here Expo SDK	2	641	July 25, 2018
npm WARN deprecated joi@14.0.4 Expo SDK	7	6055	June 7, 2019
[2017-10-25] Issues with logging into Expo developer accounts Expo SDK	70	9605	April 28, 2020
Fresh init uses vulnerable shell-quote dependency Expo SDK	3	179	July 19, 2022
Problems on installing expo-cli How to / Third Party Tooling	25	3426	November 10, 2021

Minor security issues in `expo/xdl`

Related Topics