Update json-ptr from ^2.2.0 to ^3.0.0 fixing prototype pollution (CVE-2021-23509)

Description

json-ptr < 3.0.0 has a prototype pollution security vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2021-23509

Dependency path:

raml-1-parser@1.1.47 requires json-path@0.1.3 requires json-ptr@~0.1.1

json-ptr@~0.1.1 is resolved to json-ptr 2.2.0: https://github.com/folio-org/mod-graphql/blob/ee78059a28d2cc7c7e92aa4dcdbc5fb249d4b094/yarn.lock#L4390-L4391

json-path has not been maintained since 2013: https://www.npmjs.com/package/json-path

Therefore we need to bump the json-ptr version via the "resolutions" section of package.json.

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Checklist

hide

TestRail: Results

Activity

Show:

Julian Ladisch December 1, 2021 at 12:50 PM

Thanks!

Julian Ladisch December 1, 2021 at 12:50 PM

The upgrade looks safe considering the usage:

https://github.com/raml-org/raml-js-parser-2/blob/e7b036b519c8c6cc6ffc0c5ffcf368195181d50e/src/parser/highLevelImpl.ts#L2998

https://github.com/flitbit/json-path/blob/v0.1.3/index.js#L332

Julian Ladisch December 1, 2021 at 12:48 PM

The FOLIO security team meets weekly to review all possible security threats. As long as mod-graphql ships with a vulnerable version of json-ptr the security team needs to investigate whether the use of json-ptr is save or if some code change has been made that uses json-ptr in a vulnerable way.

Updating json-ptr saves time the security teams needs for this continous manual investigation.

Mike Taylor December 1, 2021 at 12:38 PM

That's weird: how is ~0.1.1 getting resolved to v2.2.0?

Anyway, I guess this upgrade looks safe enough (though unnecessary), I'll proceed,

Julian Ladisch December 1, 2021 at 12:32 PM

mod-graphql currently uses json-ptr 2.2.0.

The release notes https://github.com/flitbit/json-ptr#releases explain that there is only one change from 2.2.0 to 3.0.0: Prototype pollution has been disabled.

https://github.com/flitbit/json-path/blob/master/index.js doesn't need prototype pollution, therefore the pollution should be disabled for security.

Done

Details
Assignee
Mike Taylor
Reporter
Julian Ladisch
Labels
security
Priority
TBD
Development Team
Thor
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs

Created November 30, 2021 at 10:09 PM

Updated February 28, 2022 at 12:30 PM

Resolved December 1, 2021 at 12:44 PM

TestRail: Cases

TestRail: Runs

Update json-ptr from ^2.2.0 to ^3.0.0 fixing prototype pollution (CVE-2021-23509)

Description

CSP Request Details

CSP Rejection Details

Potential Workaround

Checklist

TestRail: Results

Activity

Julian Ladisch December 1, 2021 at 12:50 PM

Julian Ladisch December 1, 2021 at 12:50 PM

Julian Ladisch December 1, 2021 at 12:48 PM

Mike Taylor December 1, 2021 at 12:38 PM

Julian Ladisch December 1, 2021 at 12:32 PM

DetailsAssigneeMike TaylorMike TaylorReporterJulian LadischJulian LadischLabelssecurityPriorityTBDDevelopment TeamThorTestRail: CasesOpen TestRail: CasesTestRail: RunsOpen TestRail: Runs

Details

Assignee

Reporter

Labels

Priority

Development Team

TestRail: Cases

TestRail: Runs

Details
Assignee
Mike Taylor
Reporter
Julian Ladisch
Labels
security
Priority
TBD
Development Team
Thor
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs