TRITON-2265: json-schema prototype pollution

Details

Issue Type:Bug
Priority:4 - Normal
Status:Resolved
Created at:2021-11-17T17:15:00.376Z
Updated at:2021-11-19T19:10:58.386Z

People

Created by:Brian Bennett
Reported by:Brian Bennett
Assigned to:Brian Bennett

Resolution

Fixed: A fix for this issue is checked into the tree and tested.
(Resolution Date: 2021-11-19T19:10:58.381Z)

Fix Versions

2022-01-13 Intrusion Countermeasure Electronics (Release Date: 2022-01-13)

Related Links

Description

json-schema, which we depend on in a few packages, has reported a prototype pollution security bug.

In particular, we use this in:

We use http-signature to authenticate requests with cloudapi and manta. I don't know of an exposed attack surface that would make attack possible, but I'd rather not take the chance.

Comments

Comment by Brian Bennett
Created at 2021-11-18T20:15:31.044Z
Updated at 2021-11-18T20:17:19.617Z

SRE has run the test suite against the staging environments with both cloudapi and muskie components upgraded.

Because the dependency is in the http-signature component, the only area at issue is authentication. Once authentication passes, all other components will pass as well.


Comment by Jira Bot
Created at 2021-11-18T20:20:47.068Z

sdc-cloudapi commit 2c014c07c4611736f47ed3a49e8e1746208db0b1 (branch master, by Brian Bennett)

TRITON-2265 json-schema prototype pollution (#107)

Reviewed by: Dan McDonald <danmcd@kebe.com>


Comment by Jira Bot
Created at 2021-11-18T20:21:33.876Z

manta-muskie commit 2411afb0309f49687bddfc002b025d0be86b607b (branch master, by Brian Bennett)

TRITON-2265 json-schema prototype pollution (#93)

Reviewed by: Dan McDonald <danmcd@kebe.com>