Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #31906 Handle `yaml` security issue
    Actions
    Infos
    #31906
    Joris MASSON (jmasson)
    2023-04-28 08:46
    2023-04-26 14:59
    33509
    Details
    Handle `yaml` security issue

    The yaml npm package version we depend upon in Tuleap is subject to CVE-2023-2251. Our dependencies to this package are as follows:

    flowchart LR
    css[postcss-loader] --> cosmiconfig
    stylelint --> cosmiconfig
    gettext[vue3-gettext] --> cosmiconfig
    webpack[fork-ts-checker-webpack-plugin] --> cosmiconfig
    cosmiconfig --> yaml

    Of those 4 top-level packages, 3 are dev tools. vue3-gettext is used in our apps, but we never use it to extract gettext (no usage of vue-gettext-compile or vue-gettext-extract). Thus, this issue does not pose a threat to Tuleap users. In order to exploit it, attackers would need to craft a special yaml configuration in our git repository, which would result in Tuleap failing to build with an uncaught exception.

    Dealing with this issue is likely going to take some time though. cosmiconfig v8.0.0 [0] has replaced its dependency to yaml by js-yaml, which fixes the issue. At the time of writing,

    • postcss-loader has bumped its cosmiconfig version (request #31904).
    • stylelint also, but it means dealing with a major version bump with some rules that were removed [1].
    • vue3-gettext has not yet bumped its cosmiconfig version, which means we must open an issue and/or contribute upstream.
    • fork-ts-checker-webpack-plugin has a situation of its own, see below.

    fork-ts-checker-webpack-plugin

    It has not yet bumped its cosmiconfig version, but if / when it does, we will have some trouble upgrading ourselves.

    This plugin is used to run the typechecking during pnpm run build. We want to stop doing this (see ADR-0010), but many apps have not been migrated yet. It has an option to deal with Vue.js files, but in v8.0.0 [2] they decided to drop this option. This means that for all frontend apps that are in Vue and are built with webpack, we must add a typecheck task in their package.json to still keep the typechecking. This typecheck task should use vue-tsc. When adding this task while splitting some plugin builds, I noticed it revealed a number of issues each time, so that will be time-consuming. See request #31907 for details.

    Links

    Dependencies
    Empty
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Joris MASSON (jmasson)
    Declined
    2023-04-28
    Attachments
    Artifact links
    Empty
    Empty
    References
    Display settings

    Follow-ups

    User avatar
    Joris MASSON (jmasson)2023-04-28 08:46

    It turns out the original advisory was not correctly filled: it only affects yaml versions starting 2.0.0-5, which means Tuleap is completely not affected. See https://osv.dev/vulnerability/GHSA-f9xv-q969-pqx4

    The points about dealing with fork-ts-checker-webpack-plugin and stylelint remain valid, but shall be addressed separately.

    • Status changed from New to Declined
    • Assigned to changed from None to Joris MASSON (jmasson)
    • Close date set to 2023-04-28
    User avatar
    Joris MASSON (jmasson)2023-04-26 15:26
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes