Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prototype Pollution in protobufjs #6438

Closed
landsman opened this issue Jul 15, 2022 · 2 comments · Fixed by #6442
Closed

Prototype Pollution in protobufjs #6438

landsman opened this issue Jul 15, 2022 · 2 comments · Fixed by #6442

Comments

@landsman
Copy link

landsman commented Jul 15, 2022

[REQUIRED] Describe your environment

  • Firebase SDK version: 9.9.0
  • Firebase Product: auth

We have a report on security vulnerability thanks to Github in our private repository.
I want to get rid of it.

Screenshot 2022-07-15 at 12 42 57

More info: GHSA-g954-5hwp-pp24

I found that's because of dependency used in firebase package.

landsman@M1 pay % yarn why protobufjs
└─ @grpc/proto-loader@npm:0.6.9
   └─ protobufjs@npm:6.11.2 (via npm:^6.10.0)

landsman@M1 pay % yarn why @grpc/proto-loader
├─ @firebase/firestore@npm:3.4.12
│  └─ @grpc/proto-loader@npm:0.6.9 (via npm:^0.6.0)
│
├─ @firebase/firestore@npm:3.4.12 [2e82b]
│  └─ @grpc/proto-loader@npm:0.6.9 (via npm:^0.6.0)
│
├─ @firebase/firestore@npm:3.4.12 [4fc2d]
│  └─ @grpc/proto-loader@npm:0.6.9 (via npm:^0.6.0)
│
└─ @grpc/grpc-js@npm:1.5.4
   └─ @grpc/proto-loader@npm:0.6.9 (via npm:^0.6.4)
landsman@M1 pay % yarn why @firebase/firestore
├─ @firebase/firestore-compat@npm:0.1.21
│  └─ @firebase/firestore@npm:3.4.12 (via npm:3.4.12)
│
├─ @firebase/firestore-compat@npm:0.1.21 [4fc2d]
│  └─ @firebase/firestore@npm:3.4.12 [2e82b] (via npm:3.4.12 [2e82b])
│
└─ firebase@npm:9.9.0
   └─ @firebase/firestore@npm:3.4.12 [4fc2d] (via npm:3.4.12 [4fc2d])

landsman@M1 pay % yarn why firebase
├─ @trisbee/auth@npm:2.4.1::__archiveUrl=https%3A%2F%2Fnpm.pkg.github.com%2Fdownload%2F%40trisbee%2Fauth%2F2.4.1%2F80d963c5a50747b534098e6b0acda096db8668f211b78925e8cd57e50011f751
│  └─ firebase@npm:9.9.0 (via npm:^9.9.0)
│
└─ @trisbee/auth@npm:2.4.1::__archiveUrl=https%3A%2F%2Fnpm.pkg.github.com%2Fdownload%2F%40trisbee%2Fauth%2F2.4.1%2F80d963c5a50747b534098e6b0acda096db8668f211b78925e8cd57e50011f751 [40f58]
   └─ firebase@npm:9.9.0 (via npm:^9.9.0)

landsman@M1 pay % yarn why @firebase/firestore-compat
└─ firebase@npm:9.9.0
   └─ @firebase/firestore-compat@npm:0.1.21 [4fc2d] (via npm:0.1.21 [4fc2d])

Can you please help me to resolve it? 🙏
I already have an up-to-date version of the firebase.

Is the fix already in progress?
I can't know because the security vulnerability reports are private, in custom Google form, not here on Github where I would expect them when they are confirmed 😢

@google-oss-bot
Copy link
Contributor

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

@hsubox76
Copy link
Contributor

Thanks for bringing this up. All work on this repo specifically should be publicly viewable in issues and PRs, as well as in any dependencies that are open source. I think we can fix the issue by updating the @grpc/proto-loader to version 0.6.13, as they bumped their version of protobufjs in that change: https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fproto-loader%400.6.13

I'll make a PR.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants