Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clasp fails at CASA Tier 2 scan due to a vulnerability in cacheable-request at version 7.0.2 #961

Open
Frenchcooc opened this issue Apr 4, 2023 · 1 comment

Comments

@Frenchcooc
Copy link

Expected Behavior

As part of Google's OAuth verification process, I had to self-scan my application for CASA Tier 2. It appeared that one of @google/clasp dependencies has a known vulnerability.

Here's an exceprt of my CASA scan:

CWE stream title description
937 skims 393. Use of software with known vulnerabilities in development Use of cacheable-request at version 7.0.2 with ['GHSA-8x6c-cv3v-vp6g'] in OWASP/codebase/addon-gsheets/addon/yarn.lock

If I take only a subset of my yarn.lock, the dependencies chain at fault is as follow:

"@google/clasp@^2.4.2":
  version "2.4.2"
  dependencies:
    ...
    is-reachable "^5.0.0"
    ...

is-reachable@^5.0.0:
  dependencies:
    ...
    got "^11.7.0"
    ...

got@^11.7.0:
  version "11.8.6"
  dependencies:
    ...
    cacheable-request "^7.0.2"
    ...

or more visually:

"@google/clasp@^2.4.2"
└── is-reachable "^5.0.0
    └── got@^11.7.0
        └── cacheable-request "^7.0.2"

And indeed, all version of cacheable-request before `10.2.7' are impacted by a vulnerability (GHSA-8x6c-cv3v-vp6g).

To be honest, I don't think this vulnerability could be exploited in clasp, but not fixing this would make all add-ons that rely on @google/clasp not compliant with Google's OAuth verification process.

Actual Behavior

I believe updating is-reachable to the latest version (5.2.1) will fix the issue.

Steps to Reproduce the Problem

  1. Install latest version of @google/clasp
  2. Look at your package-lock.json or yarn.lock
  3. The dependency cacheable-request is at version 7.0.2

Specifications

  • Node version (node -v): v16.17.1
  • Version (clasp -v): 2.4.2
  • OS (Mac/Linux/Windows): Mac
@Frenchcooc
Copy link
Author

I'm happy to create a PR, but feels like running npm run audit by an official maintainer would speed up the process here:

$ npm audit fix 

added 4 packages, removed 64 packages, changed 24 packages, and audited 617 packages in 9s

122 packages are looking for funding
  run `npm fund` for details

# npm audit report

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
No fix available
node_modules/request
  coveralls  *
  Depends on vulnerable versions of request
  node_modules/coveralls

2 moderate severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

and among other thing is-reachable would be updated:

  "node_modules/is-reachable": {
---      "version": "5.0.0",
---      "resolved": "https://registry.npmjs.org/is-reachable/-/is-reachable-5.0.0.tgz",
---      "integrity": "sha512-frRPbdrQWEqbnF1il9Dyrf52Q40exkHdo4/grWMjHrBn4G1DKC9sbuQihgANkJPNi2eosU4AXBsrITdXmc3IQg==",
+++      "version": "5.2.1",
+++      "resolved": "https://registry.npmjs.org/is-reachable/-/is-reachable-5.2.1.tgz",
+++      "integrity": "sha512-ViPrrlmt9FTTclYbz6mL/PFyF1TXSpJ9y/zw9QMVJxbhU/7DFkvk/5cTv7S0sXtqbJj32zZ+jKpNAjrYTUZBPQ==",
      "dependencies": {
        "arrify": "^2.0.1",
        "got": "^11.7.0",
        "is-port-reachable": "^3.0.0",
        "p-any": "^3.0.0",
        "p-timeout": "^3.2.0",
        "prepend-http": "^3.0.1",
        "router-ips": "^1.0.0",
---     "url-parse": "^1.4.7"
+++     "url-parse": "^1.5.10"
      },

sqrrrl pushed a commit that referenced this issue Jan 17, 2025
BREAKING CHANGE: CLI syntax changed for some commands, specifically the `apis` command group.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant