From 0060c9cdceaa61e902b0a063a52944ffacc4bb88 Mon Sep 17 00:00:00 2001 From: Peter Somogyvari Date: Wed, 17 Jul 2024 11:38:12 -0700 Subject: [PATCH] fix: address CVE-2022-24434, GHSA-wm7h-9275-46v2 caused by dicer The process for this fix was to: 1. `yarn why -R dicer` 2. Then examine the output of that and see which dependencies are using dicer indirectly (transient dependencies) 3. `yarn up multer --exact` 4. `yarn up express-openapi-validator --exact` 5. Profit, e.g. running `yarn why -R dicer` at this point shows that dicer has been eliminated from the dependency tree completely. https://github.com/hyperledger/cacti/security/dependabot/176 Weaknesses CWE-248 CVE ID CVE-2022-24434 GHSA ID GHSA-wm7h-9275-46v2 Also sneaking in a test case hot-fix for besu/deploy-contract/private-deploy-contract-from-json-cactus.test.ts where the error message assertion broke down after a change in error handling of the contract deployment endpoint. Signed-off-by: Peter Somogyvari --- packages/cactus-cmd-api-server/package.json | 2 +- packages/cactus-core/package.json | 2 +- ...e-deploy-contract-from-json-cactus.test.ts | 13 +- .../package.json | 2 +- .../package.json | 4 +- yarn.lock | 213 ++++++------------ 6 files changed, 83 insertions(+), 153 deletions(-) diff --git a/packages/cactus-cmd-api-server/package.json b/packages/cactus-cmd-api-server/package.json index 33e7672c46..53803ce4db 100644 --- a/packages/cactus-cmd-api-server/package.json +++ b/packages/cactus-cmd-api-server/package.json @@ -83,7 +83,7 @@ "express": "4.19.2", "express-http-proxy": "1.6.2", "express-jwt": "8.4.1", - "express-openapi-validator": "5.0.4", + "express-openapi-validator": "5.2.0", "express-rate-limit": "6.7.0", "fastify": "4.26.2", "fs-extra": "11.2.0", diff --git a/packages/cactus-core/package.json b/packages/cactus-core/package.json index 5bab83fad4..09b88a2d18 100644 --- a/packages/cactus-core/package.json +++ b/packages/cactus-core/package.json @@ -55,7 +55,7 @@ "body-parser": "1.20.2", "express": "4.19.2", "express-jwt-authz": "2.4.1", - "express-openapi-validator": "5.0.4", + "express-openapi-validator": "5.2.0", "http-errors": "2.0.0", "http-errors-enhanced-cjs": "2.0.1", "run-time-error-cjs": "1.4.0", diff --git a/packages/cactus-plugin-ledger-connector-besu/src/test/typescript/integration/plugin-ledger-connector-besu/deploy-contract/private-deploy-contract-from-json-cactus.test.ts b/packages/cactus-plugin-ledger-connector-besu/src/test/typescript/integration/plugin-ledger-connector-besu/deploy-contract/private-deploy-contract-from-json-cactus.test.ts index 9944d7272f..f48a673292 100644 --- a/packages/cactus-plugin-ledger-connector-besu/src/test/typescript/integration/plugin-ledger-connector-besu/deploy-contract/private-deploy-contract-from-json-cactus.test.ts +++ b/packages/cactus-plugin-ledger-connector-besu/src/test/typescript/integration/plugin-ledger-connector-besu/deploy-contract/private-deploy-contract-from-json-cactus.test.ts @@ -414,8 +414,17 @@ describe("PluginLedgerConnectorBesu", () => { type: Web3SigningCredentialType.PrivateKeyHex, }, }); - await expect(contractInvocationNoPrivTxConfig).rejects.toMatch( - /Returned values aren't valid, did it run Out of Gas\? You might also see this error if you are not using the correct ABI for the contract you are retrieving data from, requesting data from a block number that does not exist, or querying a node which is not fully synced\./, + // try { + // await contractInvocationNoPrivTxConfig; + // } catch (ex) { + // console.log(ex); + // } + const wrongSecretErrorMsgPattern = + /Returned values aren't valid, did it run Out of Gas\? You might also see this error if you are not using the correct ABI for the contract you are retrieving data from, requesting data from a block number that does not exist, or querying a node which is not fully synced\./; + + await expect(contractInvocationNoPrivTxConfig).rejects.toHaveProperty( + "message", + expect.stringMatching(wrongSecretErrorMsgPattern), ); } diff --git a/packages/cactus-plugin-ledger-connector-corda/package.json b/packages/cactus-plugin-ledger-connector-corda/package.json index 4c055be5e6..0510e84a4d 100644 --- a/packages/cactus-plugin-ledger-connector-corda/package.json +++ b/packages/cactus-plugin-ledger-connector-corda/package.json @@ -60,7 +60,7 @@ "@hyperledger/cactus-core": "2.0.0-rc.2", "@hyperledger/cactus-core-api": "2.0.0-rc.2", "axios": "1.6.0", - "express-openapi-validator": "5.0.4", + "express-openapi-validator": "5.2.0", "internal-ip": "6.2.0", "joi": "17.13.3", "node-ssh": "13.1.0", diff --git a/packages/cactus-plugin-ledger-connector-polkadot/package.json b/packages/cactus-plugin-ledger-connector-polkadot/package.json index 6784334d48..f5783d1b28 100644 --- a/packages/cactus-plugin-ledger-connector-polkadot/package.json +++ b/packages/cactus-plugin-ledger-connector-polkadot/package.json @@ -74,13 +74,13 @@ "axios": "1.6.0", "bl": "5.1.0", "express": "4.19.2", - "express-openapi-validator": "4.13.1", + "express-openapi-validator": "5.2.0", "form-data": "4.0.0", "fs-extra": "11.2.0", "http-errors-enhanced-cjs": "2.0.1", "http-status-codes": "2.1.4", "joi": "17.13.3", - "multer": "1.4.2", + "multer": "1.4.5-lts.1", "ngo": "2.6.2", "openapi-types": "12.1.3", "prom-client": "15.1.3", diff --git a/yarn.lock b/yarn.lock index 572ad1bd2d..3c0db8d18f 100644 --- a/yarn.lock +++ b/yarn.lock @@ -805,27 +805,14 @@ __metadata: languageName: node linkType: hard -"@apidevtools/json-schema-ref-parser@npm:9.0.9": - version: 9.0.9 - resolution: "@apidevtools/json-schema-ref-parser@npm:9.0.9" - dependencies: - "@jsdevtools/ono": "npm:^7.1.3" - "@types/json-schema": "npm:^7.0.6" - call-me-maybe: "npm:^1.0.1" - js-yaml: "npm:^4.1.0" - checksum: 10/4b73ebbb3a3c1d7620c993a7a7067d71897d9c8be32bf5cf5bee1d2fdab594b2ef32074cbd55464f28dc6930fa715e420fda2a06b23f8889559eedb4422e074e - languageName: node - linkType: hard - -"@apidevtools/json-schema-ref-parser@npm:^9.1.2": - version: 9.1.2 - resolution: "@apidevtools/json-schema-ref-parser@npm:9.1.2" +"@apidevtools/json-schema-ref-parser@npm:^11.6.2": + version: 11.6.4 + resolution: "@apidevtools/json-schema-ref-parser@npm:11.6.4" dependencies: "@jsdevtools/ono": "npm:^7.1.3" - "@types/json-schema": "npm:^7.0.6" - call-me-maybe: "npm:^1.0.1" + "@types/json-schema": "npm:^7.0.15" js-yaml: "npm:^4.1.0" - checksum: 10/7553f994974c5c6f99d14b9f47e9dccaedbcdd1565a099bbf7413494c71e1a246562bd6bfa394b6be026d176c734ff89aed87e2c3a92d01ff4350c64514bfb48 + checksum: 10/66ab61d49d29915d7a95f452d753f5fccdc26e565262864cf3a44b838b25d8bca1961d0b285b119d1daa44321f606ddf22ee2090a49a5af5e7d348dc63c916e0 languageName: node linkType: hard @@ -9391,7 +9378,7 @@ __metadata: express: "npm:4.19.2" express-http-proxy: "npm:1.6.2" express-jwt: "npm:8.4.1" - express-openapi-validator: "npm:5.0.4" + express-openapi-validator: "npm:5.2.0" express-rate-limit: "npm:6.7.0" fastify: "npm:4.26.2" fs-extra: "npm:11.2.0" @@ -9532,7 +9519,7 @@ __metadata: body-parser: "npm:1.20.2" express: "npm:4.19.2" express-jwt-authz: "npm:2.4.1" - express-openapi-validator: "npm:5.0.4" + express-openapi-validator: "npm:5.2.0" http-errors: "npm:2.0.0" http-errors-enhanced-cjs: "npm:2.0.1" node-mocks-http: "npm:1.14.0" @@ -10298,7 +10285,7 @@ __metadata: axios: "npm:1.6.0" body-parser: "npm:1.20.2" express: "npm:4.19.2" - express-openapi-validator: "npm:5.0.4" + express-openapi-validator: "npm:5.2.0" internal-ip: "npm:6.2.0" joi: "npm:17.13.3" node-ssh: "npm:13.1.0" @@ -10503,13 +10490,13 @@ __metadata: axios: "npm:1.6.0" bl: "npm:5.1.0" express: "npm:4.19.2" - express-openapi-validator: "npm:4.13.1" + express-openapi-validator: "npm:5.2.0" form-data: "npm:4.0.0" fs-extra: "npm:11.2.0" http-errors-enhanced-cjs: "npm:2.0.1" http-status-codes: "npm:2.1.4" joi: "npm:17.13.3" - multer: "npm:1.4.2" + multer: "npm:1.4.5-lts.1" ngo: "npm:2.6.2" openapi-types: "npm:12.1.3" prom-client: "npm:15.1.3" @@ -17151,7 +17138,7 @@ __metadata: languageName: node linkType: hard -"@types/json-schema@npm:*, @types/json-schema@npm:^7.0.6, @types/json-schema@npm:^7.0.8": +"@types/json-schema@npm:*, @types/json-schema@npm:^7.0.8": version: 7.0.9 resolution: "@types/json-schema@npm:7.0.9" checksum: 10/7ceb41e396240aa69ae15c02ffbb6548ea2bb2f845a7378c711c7c908a9a8438a0330f3135f1ccb6e82e334b9e2ec5b94fb57a1435f2b15362d38e9d5109e5ea @@ -17165,6 +17152,13 @@ __metadata: languageName: node linkType: hard +"@types/json-schema@npm:^7.0.15": + version: 7.0.15 + resolution: "@types/json-schema@npm:7.0.15" + checksum: 10/1a3c3e06236e4c4aab89499c428d585527ce50c24fe8259e8b3926d3df4cfbbbcf306cfc73ddfb66cbafc973116efd15967020b0f738f63e09e64c7d260519e7 + languageName: node + linkType: hard + "@types/json-schema@npm:^7.0.4, @types/json-schema@npm:^7.0.5": version: 7.0.13 resolution: "@types/json-schema@npm:7.0.13" @@ -17363,7 +17357,7 @@ __metadata: languageName: node linkType: hard -"@types/multer@npm:1.4.7, @types/multer@npm:^1.4.7": +"@types/multer@npm:1.4.7": version: 1.4.7 resolution: "@types/multer@npm:1.4.7" dependencies: @@ -17372,6 +17366,15 @@ __metadata: languageName: node linkType: hard +"@types/multer@npm:^1.4.11": + version: 1.4.11 + resolution: "@types/multer@npm:1.4.11" + dependencies: + "@types/express": "npm:*" + checksum: 10/5abbc9a8b0d7bb817a52429c52f052152ebe2fb212e7138359c0c0b9207486ef7b1e54f65915c968300a0874cee546dbfc850415584fc9d14eff2b27bb926e7f + languageName: node + linkType: hard + "@types/node-fetch@npm:2.6.2": version: 2.6.2 resolution: "@types/node-fetch@npm:2.6.2" @@ -19312,7 +19315,7 @@ __metadata: languageName: node linkType: hard -"ajv@npm:8.12.0, ajv@npm:^8.10.0, ajv@npm:^8.11.0, ajv@npm:^8.11.2, ajv@npm:^8.6.0, ajv@npm:^8.6.3": +"ajv@npm:8.12.0, ajv@npm:^8.10.0, ajv@npm:^8.11.0, ajv@npm:^8.6.0, ajv@npm:^8.6.3": version: 8.12.0 resolution: "ajv@npm:8.12.0" dependencies: @@ -19346,7 +19349,7 @@ __metadata: languageName: node linkType: hard -"ajv@npm:^6.10.0, ajv@npm:^6.11.0, ajv@npm:^6.12.2, ajv@npm:^6.12.3, ajv@npm:^6.12.4, ajv@npm:^6.12.5, ajv@npm:^6.12.6": +"ajv@npm:^6.10.0, ajv@npm:^6.11.0, ajv@npm:^6.12.2, ajv@npm:^6.12.3, ajv@npm:^6.12.4, ajv@npm:^6.12.5": version: 6.12.6 resolution: "ajv@npm:6.12.6" dependencies: @@ -19370,6 +19373,18 @@ __metadata: languageName: node linkType: hard +"ajv@npm:^8.14.0": + version: 8.17.1 + resolution: "ajv@npm:8.17.1" + dependencies: + fast-deep-equal: "npm:^3.1.3" + fast-uri: "npm:^3.0.1" + json-schema-traverse: "npm:^1.0.0" + require-from-string: "npm:^2.0.2" + checksum: 10/ee3c62162c953e91986c838f004132b6a253d700f1e51253b99791e2dbfdb39161bc950ebdc2f156f8568035bb5ed8be7bd78289cd9ecbf3381fe8f5b82e3f33 + languageName: node + linkType: hard + "ajv@npm:^8.8.0": version: 8.11.0 resolution: "ajv@npm:8.11.0" @@ -21887,16 +21902,6 @@ __metadata: languageName: node linkType: hard -"busboy@npm:^0.2.11": - version: 0.2.14 - resolution: "busboy@npm:0.2.14" - dependencies: - dicer: "npm:0.2.5" - readable-stream: "npm:1.1.x" - checksum: 10/e0089b020d6c0f7f29864fd847b4d4a3acb30de76094b3312024666aae5f59592c2301092284423c9c51b4ec1a0dd6b39b24a80633b2a325dc3faa9cfca2c01a - languageName: node - linkType: hard - "busboy@npm:^1.0.0, busboy@npm:^1.6.0": version: 1.6.0 resolution: "busboy@npm:1.6.0" @@ -22192,13 +22197,6 @@ __metadata: languageName: node linkType: hard -"call-me-maybe@npm:^1.0.1": - version: 1.0.1 - resolution: "call-me-maybe@npm:1.0.1" - checksum: 10/9a965479202df1ea9d76abfdd8d43a8f85dfb85124763b5997ccfeabee2ee7f7e4fc88259b0ad05799bde79f4873efb9855da6d8bb2972a831f8a3d1c67acc06 - languageName: node - linkType: hard - "caller-callsite@npm:^4.1.0": version: 4.1.0 resolution: "caller-callsite@npm:4.1.0" @@ -23670,7 +23668,7 @@ __metadata: languageName: node linkType: hard -"content-type@npm:^1.0.4, content-type@npm:^1.0.5, content-type@npm:~1.0.5": +"content-type@npm:^1.0.5, content-type@npm:~1.0.5": version: 1.0.5 resolution: "content-type@npm:1.0.5" checksum: 10/585847d98dc7fb8035c02ae2cb76c7a9bd7b25f84c447e5ed55c45c2175e83617c8813871b4ee22f368126af6b2b167df655829007b21aa10302873ea9c62662 @@ -25883,16 +25881,6 @@ __metadata: languageName: node linkType: hard -"dicer@npm:0.2.5": - version: 0.2.5 - resolution: "dicer@npm:0.2.5" - dependencies: - readable-stream: "npm:1.1.x" - streamsearch: "npm:0.1.2" - checksum: 10/a2f60fd278243c7fe44088ec266b9c41a6a35769546fe77c3d927ff617668afecd663d2ec0ca7089989a1eadb97377a51c10b12cd6de19c7a0d6d79ffd02caee - languageName: node - linkType: hard - "did-resolver@npm:^4.0.0, did-resolver@npm:^4.1.0": version: 4.1.0 resolution: "did-resolver@npm:4.1.0" @@ -29028,45 +29016,26 @@ __metadata: languageName: node linkType: hard -"express-openapi-validator@npm:4.13.1": - version: 4.13.1 - resolution: "express-openapi-validator@npm:4.13.1" - dependencies: - "@types/multer": "npm:^1.4.7" - ajv: "npm:^6.12.6" - content-type: "npm:^1.0.4" - json-schema-ref-parser: "npm:^9.0.9" - lodash.clonedeep: "npm:^4.5.0" - lodash.get: "npm:^4.4.2" - lodash.uniq: "npm:^4.5.0" - lodash.zipobject: "npm:^4.1.3" - media-typer: "npm:^1.1.0" - multer: "npm:^1.4.3" - ono: "npm:^7.1.3" - path-to-regexp: "npm:^6.2.0" - checksum: 10/d80d7589804e6d0efd5e2ae64fe240b40e3f58af28d35180ecde7a96db72f33761e267258351c2afd821d8bb637229d77c384f6d19f9379a6b52b78d1793ee70 - languageName: node - linkType: hard - -"express-openapi-validator@npm:5.0.4": - version: 5.0.4 - resolution: "express-openapi-validator@npm:5.0.4" +"express-openapi-validator@npm:5.2.0": + version: 5.2.0 + resolution: "express-openapi-validator@npm:5.2.0" dependencies: - "@apidevtools/json-schema-ref-parser": "npm:^9.1.2" - "@types/multer": "npm:^1.4.7" - ajv: "npm:^8.11.2" + "@apidevtools/json-schema-ref-parser": "npm:^11.6.2" + "@types/multer": "npm:^1.4.11" + ajv: "npm:^8.14.0" ajv-draft-04: "npm:^1.0.0" ajv-formats: "npm:^2.1.1" content-type: "npm:^1.0.5" + json-schema-traverse: "npm:^1.0.0" lodash.clonedeep: "npm:^4.5.0" lodash.get: "npm:^4.4.2" - lodash.uniq: "npm:^4.5.0" - lodash.zipobject: "npm:^4.1.3" media-typer: "npm:^1.1.0" multer: "npm:^1.4.5-lts.1" ono: "npm:^7.1.3" - path-to-regexp: "npm:^6.2.0" - checksum: 10/793f3bcd369f4f67a228c4965834cd649e891ca1aae7b13795d6569399d02c6638df96428d4c320e3d61146e78627a6b012b1461bdb9a69ea1c1b0ce4a1401dc + path-to-regexp: "npm:^6.2.2" + peerDependencies: + express: "*" + checksum: 10/f39ea66819f1d63f7e3ea8e917dfea50bac046cafdd1018d6236870dfdc778408fbd19686cc7f2a4ede9c3fc8a77754caf7543bc449188fc9c3f28b8faf66e74 languageName: node linkType: hard @@ -29596,6 +29565,13 @@ __metadata: languageName: node linkType: hard +"fast-uri@npm:^3.0.1": + version: 3.0.1 + resolution: "fast-uri@npm:3.0.1" + checksum: 10/e8ee4712270de0d29eb0fbf41ffad0ac80952e8797be760e8bb62c4707f08f50a86fe2d7829681ca133c07d6eb4b4a75389a5fc36674c5b254a3ac0891a68fc7 + languageName: node + linkType: hard + "fastest-levenshtein@npm:^1.0.12": version: 1.0.12 resolution: "fastest-levenshtein@npm:1.0.12" @@ -36284,15 +36260,6 @@ __metadata: languageName: node linkType: hard -"json-schema-ref-parser@npm:^9.0.9": - version: 9.0.9 - resolution: "json-schema-ref-parser@npm:9.0.9" - dependencies: - "@apidevtools/json-schema-ref-parser": "npm:9.0.9" - checksum: 10/54f42b439abd865f9364e24f29e8e6849bae7565f40d11ef939e99e8285ad86673b7ff16f31398a15d6bff233844949b2f3f45de31d31393cc1c4d18957fc2e3 - languageName: node - linkType: hard - "json-schema-ref-resolver@npm:^1.0.1": version: 1.0.1 resolution: "json-schema-ref-resolver@npm:1.0.1" @@ -38036,13 +38003,6 @@ __metadata: languageName: node linkType: hard -"lodash.zipobject@npm:^4.1.3": - version: 4.1.3 - resolution: "lodash.zipobject@npm:4.1.3" - checksum: 10/1ab635b665c0488a905779705a6683e9024115176e9e947d75d2a6b1e8673230fdb11c417788fbaf26d71e1cac5ad8e59a558924612cbf7d6615780836048883 - languageName: node - linkType: hard - "lodash@npm:>=4.17.21": version: 4.17.21 resolution: "lodash@npm:4.17.21" @@ -39753,22 +39713,6 @@ __metadata: languageName: node linkType: hard -"multer@npm:1.4.2": - version: 1.4.2 - resolution: "multer@npm:1.4.2" - dependencies: - append-field: "npm:^1.0.0" - busboy: "npm:^0.2.11" - concat-stream: "npm:^1.5.2" - mkdirp: "npm:^0.5.1" - object-assign: "npm:^4.1.1" - on-finished: "npm:^2.3.0" - type-is: "npm:^1.6.4" - xtend: "npm:^4.0.0" - checksum: 10/16133616544b66f8be5ed86378b85442a0f80efef67608b3d2ea087566eb83e8d09b37c049bd912c734d36f81ed48161a27fe435a642786079268dd87e79d765 - languageName: node - linkType: hard - "multer@npm:1.4.5-lts.1, multer@npm:^1.4.5-lts.1": version: 1.4.5-lts.1 resolution: "multer@npm:1.4.5-lts.1" @@ -39784,22 +39728,6 @@ __metadata: languageName: node linkType: hard -"multer@npm:^1.4.3": - version: 1.4.4 - resolution: "multer@npm:1.4.4" - dependencies: - append-field: "npm:^1.0.0" - busboy: "npm:^0.2.11" - concat-stream: "npm:^1.5.2" - mkdirp: "npm:^0.5.4" - object-assign: "npm:^4.1.1" - on-finished: "npm:^2.3.0" - type-is: "npm:^1.6.4" - xtend: "npm:^4.0.0" - checksum: 10/f1eb82acabaaa2d52fde9c29af1120d36e2dbc3536ff8d8fb66ce2104683969b7dc8303f8ec84fe17cc0a97a85516c010ff8ad5510affdb480ff15c20997c4f9 - languageName: node - linkType: hard - "multibase@npm:^0.7.0": version: 0.7.0 resolution: "multibase@npm:0.7.0" @@ -41636,7 +41564,7 @@ __metadata: languageName: node linkType: hard -"on-finished@npm:2.4.1, on-finished@npm:^2.3.0, on-finished@npm:^2.4.1": +"on-finished@npm:2.4.1, on-finished@npm:^2.4.1": version: 2.4.1 resolution: "on-finished@npm:2.4.1" dependencies: @@ -42797,10 +42725,10 @@ __metadata: languageName: node linkType: hard -"path-to-regexp@npm:^6.2.0": - version: 6.2.0 - resolution: "path-to-regexp@npm:6.2.0" - checksum: 10/330ad50d40a45c6e8e1d99d55162b9d51192b99e8c8b8d01262f440731f6985a8fcfc427c8640fa6c463d9266fccc4190f8c8ef9d98a0196bedab42b9cd91135 +"path-to-regexp@npm:^6.2.2": + version: 6.2.2 + resolution: "path-to-regexp@npm:6.2.2" + checksum: 10/f7d11c1a9e02576ce0294f4efdc523c11b73894947afdf7b23a0d0f7c6465d7a7772166e770ddf1495a8017cc0ee99e3e8a15ed7302b6b948b89a6dd4eea895e languageName: node linkType: hard @@ -45659,7 +45587,7 @@ __metadata: languageName: node linkType: hard -"readable-stream@npm:1.1.14, readable-stream@npm:1.1.x, readable-stream@npm:^1.0.26-4, readable-stream@npm:^1.0.33": +"readable-stream@npm:1.1.14, readable-stream@npm:^1.0.26-4, readable-stream@npm:^1.0.33": version: 1.1.14 resolution: "readable-stream@npm:1.1.14" dependencies: @@ -49236,13 +49164,6 @@ __metadata: languageName: node linkType: hard -"streamsearch@npm:0.1.2": - version: 0.1.2 - resolution: "streamsearch@npm:0.1.2" - checksum: 10/2c9407ee6682f100a9026b4b712d01ce3889fc818b928746eeb92fb4c0cf4ee79b74af27893fd766e4a36bbed08969a8e0bd0d0be5d30b2c9028859071f8f02b - languageName: node - linkType: hard - "streamsearch@npm:^1.1.0": version: 1.1.0 resolution: "streamsearch@npm:1.1.0"