Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

npm audit Arbitrary File Overwrite

Tags:

node.js

npm

sass

tar

node-gyp

I recently updated my version of angular using ng update and when running npm audit it found 1 high severity vulnerability but offered no suggestions on how to resolve it. It usually suggests to upgrade a package from package.json like: "angular-devkit/build-angular" but I am already using their latest version.

                   === npm audit security report ===                        


                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             

      Visit https://go.npm.me/audit-guide for additional guidance           


High            Arbitrary File Overwrite                                      

Package         tar                                                           

Patched in      >=4.4.2                                                       

Dependency of   @angular-devkit/build-angular [dev]                           

Path            @angular-devkit/build-angular > node-sass > node-gyp > tar    

More info       https://npmjs.com/advisories/803                              

found 1 high severity vulnerability in 29707 scanned packages
1 vulnerability requires manual review. See the full report for details.

I thought of installing npm i tar but I am not sure.

like image 329
mruanova Avatar asked Apr 11 '19 14:04

mruanova

People also ask

What is arbitrary file overwrite?

Impact. Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks.

Should I always run npm audit fix?

If no security vulnerabilities are found, this means that packages with known vulnerabilities were not found in your package dependency tree. Since the advisory database can be updated at any time, we recommend regularly running npm audit manually, or adding npm audit to your continuous integration process.

What happens when you run npm audit fix?

The npm audit command will exit with a 0 exit code if no vulnerabilities were found. The npm audit fix command will exit with 0 exit code if no vulnerabilities are found or if the remediation is able to successfully fix all vulnerabilities.

What npm audit does?

npm audit is a built-in security feature, that scans your project for security vulnerabilities. It provides an assessment report that contains details of the identified anomalies, potential fixes, and more.

1 Answers

The following worked for me:

Go to node_modules > node_gyp > package.json, then locate tar under dependencies and replace 2.0.0 with 4.4.8.

Then run:

  1. npm i
  2. npm audit
  3. npm audit fix
  4. npm audit

you should see 0 vulnerabilities.

I've updated a few angular projects and each project had the same issue. Doing the above worked all the time.

like image 105
Spiderman Avatar answered Oct 16 '22 05:10

Spiderman
Sign in to Comment

Related questions

ERROR in multi (webpack)-dev-server/client
What is the difference between dynamically and statically generated grpc code?
npm init not working and getting stuck on version
“Error: Please install pg package manually” when trying to run “npm run serve:dev”?
Node.js as a forwarding proxy but changing the URL path?
node.js design pattern for creating db connection once
Is there a way to generate the bundledDependencies list automatically?
Node.js C++ Addon: Threading
meteor vs derbyjs who is winning this battle? [closed]
WebRTC Data Channel server to clients UDP communication
Why cant I inline call to res.json?
Node.js Server running from a sub folder
Best place to handle data validation with mongoose and express
check is nodejs connection come from localhost
Error: write EPIPE with node.js and imagemagick
Trying to post multipart/form-data with node.js supertest
Node.js - Programmatically Connect to a VPN or route HTTP Requests via VPN
npm install using pre-release versions
create-react-app + nodejs (express) server
How do Node's bcrypt and bcryptjs libraries differ?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!