Security concerns related to cors-proxy Β #21
Description
Context
The git proxy is security-sensitive, because credentials are passed to it as plaintext via calls from most methods using onAuth (but in practice, mostly push calls)
If an attacker can place themselves in the proxy, they can breach the confidentiality of the credentials by reading them. They can then send them wherever they please and then act maliciously as the user the credentials represent
This can happen, for instance, if there is an RCE vulnerability anywhere in the stack, for instance, in Node.js or in the micro dependency
It can also happen as a result of a prototype pollution vulnerability somewhere (a thorough analysis would be required to assess whether the threat is likely)
First-order analysis
I tried to assess whether the threat would be likely at a first glance
Node.js version
I see the Node.js version in the Docker image is 8
Line 1 in 65e7d34
This version stopped receiving security updates on 2019-12-31, 4 years ago.
This doesn't mean the proxy is vulnerable per se, but does not smell good
npm install
A fresh clone and npm install gives:
75 vulnerabilities (1 low, 22 moderate, 43 high, 9 critical)
After an npm audit fix, the result is :
41 vulnerabilities (14 moderate, 27 high)
Lots of ReDoS and some prototype pollution
This doesn't mean the proxy is vulnerable per se, but does not smell good
micro dependency
This proxy is mostly [email protected]. It was released in 2018 and a newer version is available
This would probably partially solve the security issues of the previous sections
Solutions
- The fact that the proxy is security-sensitive should probably be documented somewhere, so people came make informed decisions (i can send a PR to the readme)
- update node.js requirements to the latest LTS. In package.json as well as in the Dockerfile (and the azure config file ?)
- update micro dependency
- update package.json and package-lock.json to be in a place where
npm auditstops reporting problems (or the remaining vulnerabilities are demonstrated to not affect cors-proxy)
I'm happy to send PRs with all this to begin with