Update express to 4.17.3 to address querystring vulnerability #66

eleichter-globality · 2022-12-22T00:08:14Z

See GLOB-70859 and https://github.com/n8tz/CVE-2022-24999 for background on this vulnerability.

I managed to reproduce the exploit by borrowing from the vulnerability repo's POC in globalitydocx. I added a dummy route that looked like this:

    router.get('/api/qs-test', function(req, res, next) {
        const categories = req.query.categories;
        
        console.log('[server] Received query : ', req.query);
        console.log('[server] (categories instanceof Array) : ', (categories instanceof Array));
        
        if ( !categories || !(categories instanceof Array) ) {
            res.send('Categories is not an array, which is probably a good thing');
            return;
        }
        
        console.log('[server] Do : req.query.categories.indexOf("123")');
        console.time('[server] req.query.categories.indexOf("123")');
        req.query.categories.indexOf("123")
        console.timeEnd('[server] req.query.categories.indexOf("123")');
        
        res.send('Done!');
    });

Then sent a request to a locally-running server with this:

time curl --location -g 'http://localhost:3037/api/qs-test?categories[__proto__]&categories[__proto__]&categories[length]=100000000'

Without the update to this library, the server treated categories like an array and took 4 seconds to respond (even if its own copy of express was updated to the fix version). Once I got the local server to use this version of nodule-express, it responded to the same request quickly, and hit the Categories is not an array branch.

michlipskiGlo · 2022-12-22T00:14:00Z

package.json

@@ -20,7 +20,7 @@
        "connect-requestid": "^1.1.0",
        "cors": "^2.8.4",
        "dataloader": "^1.4.0",
-        "express": "^4.16.3",


Just want to verify that we want 4.17.3 and not ^4.17.3

Good call, it looks like we can. This gets us express 4.18.2, which has qs 6.11.0 which has the fix (that came from here). And I verified that I can't reproduce the vulnerability with this new version of nodule-express + express.

(I'm somewhat obsessively double-checking all this because I spent the better part of the day jumping through dependency hell to test this).

jyoko-glob

Appreciate you fighting with the dependencies! 🍻

Update express to 4.17.3 to address querystring vulnerability

119d0d1

michlipskiGlo reviewed Dec 22, 2022

View reviewed changes

michlipskiGlo approved these changes Dec 22, 2022

View reviewed changes

Actually, lets try the caret

87f772e

jyoko-glob approved these changes Dec 22, 2022

View reviewed changes

eleichter-globality merged commit 9e67066 into master Jan 4, 2023

eleichter-globality deleted the GLOB-70859_update-express-for-vuln branch January 4, 2023 16:39

eleichter-globality mentioned this pull request Jan 4, 2023

GLOB-70859 Bump version to 0.6.1 #69

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update express to 4.17.3 to address querystring vulnerability #66

Update express to 4.17.3 to address querystring vulnerability #66

eleichter-globality commented Dec 22, 2022 •

edited by jira bot

michlipskiGlo Dec 22, 2022

eleichter-globality Dec 22, 2022

jyoko-glob left a comment

Update express to 4.17.3 to address querystring vulnerability #66

Update express to 4.17.3 to address querystring vulnerability #66

Conversation

eleichter-globality commented Dec 22, 2022 • edited by jira bot

michlipskiGlo Dec 22, 2022

Choose a reason for hiding this comment

eleichter-globality Dec 22, 2022

Choose a reason for hiding this comment

jyoko-glob left a comment

Choose a reason for hiding this comment

eleichter-globality commented Dec 22, 2022 •

edited by jira bot