potential security vulnerability via an outdated version of static-module@1.5.0 > static-eval@0.2.4

[alhugot]

Hi,
this is perhaps not the place to report it, please feel free to close the issue, but the version of static-module specified in the package.json is affected by this security vulnerability:
https://nodesecurity.io/advisories/548
cwise@1.0.10 > static-module@1.5.0 > static-eval@0.2.4

I have tried to update static-module to version ^2.0.0 which fixes the issue:
browserify/static-module#34

...but the tests are failing. I do no know this code enough to fix it, any help is welcome.

This is part of making plotly.js pass security tests:
plotly/plotly.js#2386

Would also be good to have a security badge with:
snyk: https://github.com/snyk/snyk#badge
or
nsp: see https://github.com/dwyl/repo-badges
Thx
Alex

[etpinard]

Unfortunately, bumping static-module to the unvulnerable 2.x series won't be trivial.

Changes from PRs browserify/static-eval#18 and browserify/static-module#38 appear to be incompatible with cwise.

From my findings, static-module fails (i.e. does not transform cwise({args: [], body: () => {}}) expressions) whenever body() mutates one if its input arguments.

For example, with

// cmd.js
var fs = require('fs')
var sm = require('./lib/cwise-transform')()

process.stdin.pipe(sm).pipe(process.stdout)

// works.js
var cwise = require('cwise')
var f = cwise({
  args: ["array"],
  body: function() {
      return 'yo'
  },
})

// fails.js
var cwise = require('cwise')
var f = cwise({
  args: ["array"],
  body: function(a) {
      ++a
  },
})

then, node cmd.js < works.js works just fine (but doesn't do anything 😏 ), and node cmd.js < fails.js outputs:

var f = cwise({
  args: ["array"],
  body: function(a) {
      ++a
  }
})

that is, it correctly removes the require statement, but ignores the cwise call.

[alhugot]

Thanks for looking at it. I tried to update the dependency but the tests are failing (I am on windows and not familiar with these libs).
But I am able to run the examples which are in the example dir.

[michal-rad]

+1

[etpinard]

@alhugot I believe your patch in https://github.com/alhugot/cwise/commit/39b4ad8a1c67d94903bdc139e59bc764e59bad6f defeats the purpose of browserify suite where cwise is used as a transform.

To double-check, would you mind comparing the output of browserify -t cwise test/fill.js using old and new static-module versions?

[alhugot]

@etpinard I am sorry I don't know much about browserify. Do you mean changing
var cwise = require("cwise") to var cwise = require("../cwise") in the unit test?

[alhugot]

ok I see, I have look at https://github.com/scijs/ndarray-fill module which use cwise and indeed the transform is wrong, as in your example. Sorry a bit slow on this one.

[etpinard]

. Sorry a bit slow on this one.

No worries. Thanks for the help!

[dutscher]

+1

[hakandilek]

@etpinard browserify -t cwise test/fill.js outputs are the same with static-module@2.2.5

[etpinard]

@hakandilek thanks for the headsup, but npm test fails for me with static-module@2.2.5.

[hakandilek]

What's the reason? Check out my linked pull request. I've integrated Travis ci also for the actual nodejs versions.

…

On Wed, 30 May 2018, 17:44 Étienne Tétreault-Pinard, < ***@***.***> wrote: @hakandilek <https://github.com/hakandilek> thanks for the headsup, but npm test fails for me with ***@***.*** — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#19 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABBdWf3KaUh7_bwyNR-hvHwpcEnxsTS3ks5t3r5jgaJpZM4SMRVS> .

[etpinard]

Check out my linked pull request.

Ha. Sorry I missed that. Thanks for the PR.