Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Update dependency moment-timezone to v0.5.35 [SECURITY] #2041

Merged
merged 1 commit into from
Sep 20, 2022
Merged

Update dependency moment-timezone to v0.5.35 [SECURITY] #2041

merged 1 commit into from
Sep 20, 2022

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 31, 2022

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
moment-timezone (source) 0.5.34 -> 0.5.35 age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-56x4-j7p9-fcf9

Impact

All versions of moment-timezone from 0.1.0 contain build tasks vulnerable to command injection.

  • if Alice uses tzdata pipeline to package moment-timezone on her own (for example via grunt data:2014d, where 2014d stands for the version of the tzdata to be used from IANA's website),
  • and Alice let's Mallory select the version (2014d in our example), then Mallory can execute arbitrary commands on the machine running the grunt task, with the same privilege as the grunt task

Am I affected?

Do you build custom versions of moment-timezone with grunt?

If no, you're not affected.

Do you allow a third party to specify which particular version you want build?

If yes, you're vulnerable to command injection -- third party may execute arbitrary commands on the system running grunt task with the same privileges as grunt task.

Description

Command Injection via grunt-zdownload.js and MITM on iana's ftp endpoint

The tasks/data-download.js script takes in a parameter from grunt and uses it to form a command line which is then executed:

6  module.exports = function (grunt) {
7      grunt.registerTask('data-download', '1. Download data from iana.org/time-zones.', function (version) {
8          version = version || 'latest';

10          var done  = this.async(),
11              src   = 'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz',
12              curl  = path.resolve('temp/curl', version, 'data.tar.gz'),
13              dest  = path.resolve('temp/download', version);
...
24          exec('curl ' + src + ' -o ' + curl + ' && cd ' + dest + ' && gzip -dc ' + curl + ' | tar -xf -', function (err) {

Ordinarily, one one run this script using something like grunt data-download:2014d, in which case version would have the value 2014d. However, if an attacker were to provide additional content on the command line, they would be able to execute arbitrary code

root@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-download:2014d ; echo flag>/tmp/foo #'
\Running "data-download:2014d ; echo flag>/tmp/foo #" (data-download) task
>> Downloading https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz
>> Downloaded https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz

Done.
root@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/foo
flag

Command Injection via data-zdump.js

The tasks/data-zdump.js script reads a list of files present in a temporary directory (created by previous tasks), and for each one, assembles and executes a command line without sanitization. As a result, an attacker able to influence the contents of that directory could gain code execution. This attack is exacerbated by timezone data being downloaded via cleartext FTP (described above), but beyond that, an attacker at iana.org able to modify the timezone files could disrupt any systems that build moment-timezone.

15              files     = grunt.file.expand({ filter : 'isFile', cwd : 'temp/zic/' + version }, '**/*');
...
27          function next () {
...
33              var file = files.pop(),
34                  src  = path.join(zicBase, file),
35                  dest = path.join(zdumpBase, file);
36              exec('zdump -v ' + src, { maxBuffer: 20*1024*1024 }, function (err, stdout) {

In this case, an attacker able to add a file to temp/zic/2014d (for example) with a filename like Z; curl www.example.com would influence the called to exec on line 36 and run arbitrary code. There are a few minor challenges in exploiting this, since the string needs to be a valid filename.

Command Injection via data-zic.js

Similar to the vulnerability in /tasks/data-download.js, the /tasks/data-zic.js script takes a version from the command line and uses it as part of a command line, executed without sanitization.

10          var done  = this.async(),
11              dest  = path.resolve('temp/zic', version),
...
22              var file = files.shift(),
23                  src = path.resolve('temp/download', version, file);
24
25              exec('zic -d ' + dest + ' ' + src, function (err) {

As a result, an attacker able to influence that string can run arbitrary commands. Of course, it requires an attacker able to influence the command passed to grunt, so may be unlikely in practice.

root@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-zic:2014d; echo hi > /tmp/evil; echo '
Running "data-zic:2014d; echo hi > /tmp/evil; echo " (data-zic) task
exec: zid -d /usr/src/app/moment-timezone/temp/zic/2014d; echo hi > /tmp/evil; echo  /usr/src/app/moment-timezone/temp/download/2014d; echo hi > /tmp/evil; echo /africa
...

root@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/evil
hi

Patches

The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affected versions. It switches exec to execFile so arbitrary bash fragments won't be executed any more.

References

GHSA-v78c-4p63-2j6c

Impact

  • if Alice uses grunt data (or grunt release) to prepare a custom-build, moment-timezone with the latest tzdata from IANA's website
  • and Mallory intercepts the request to IANA's unencrypted ftp server, Mallory can serve data which might exploit further stages of the moment-timezone tzdata pipeline, or potentially produce a tainted version of moment-timezone (practicality of such attacks is not proved)

Patches

Problem has been patched in version 0.5.35, patch should be applicable with minor modifications to all affected versions. The patch includes changing the FTP endpoint with an HTTPS endpoint.

Workarounds

Specify the exact version of tzdata (like 2014d, full command being grunt data:2014d, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command.

Release Notes

moment/moment-timezone

v0.5.35

Compare Source

Thanks to the OpenSSF Alpha-Omega project for reporting these!

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot requested a review from a team as a code owner August 31, 2022 11:51
@renovate renovate bot force-pushed the renovate/npm-moment-timezone-vulnerability branch from e4e183c to a01faec Compare September 2, 2022 16:54
@thestephenmarshall
Copy link
Contributor

Our tests should provide some coverage here in case something is broken after the upgrade.

@thestephenmarshall thestephenmarshall mentioned this pull request Sep 6, 2022
Closed
@renovate renovate bot force-pushed the renovate/npm-moment-timezone-vulnerability branch 2 times, most recently from 4463833 to 57e8f49 Compare September 7, 2022 22:46
@renovate renovate bot force-pushed the renovate/npm-moment-timezone-vulnerability branch 8 times, most recently from fbfdc56 to 6e5cc30 Compare September 12, 2022 13:38
@thestephenmarshall thestephenmarshall added the milano 20 MAX - Deploy this PR to a review environment via Milano label Sep 15, 2022
@app-milano app-milano bot temporarily deployed to pr2041 September 15, 2022 15:43 Inactive
@renovate renovate bot force-pushed the renovate/npm-moment-timezone-vulnerability branch from 6e5cc30 to 621549b Compare September 15, 2022 15:49
@thestephenmarshall thestephenmarshall removed the milano 20 MAX - Deploy this PR to a review environment via Milano label Sep 15, 2022
@renovate renovate bot force-pushed the renovate/npm-moment-timezone-vulnerability branch 3 times, most recently from 5d61959 to 59d3182 Compare September 19, 2022 20:36
@jasperfurniss jasperfurniss added improvement This is used when your PR contains library upgrades or doc/site improvements. (USED IN CHANGELOG)) Ready for Release merged to master, ready for a versioned released labels Sep 20, 2022
@renovate renovate bot force-pushed the renovate/npm-moment-timezone-vulnerability branch from 59d3182 to 5ecd9e3 Compare September 20, 2022 13:05
@renovate renovate bot force-pushed the renovate/npm-moment-timezone-vulnerability branch from 5ecd9e3 to e2d5b95 Compare September 20, 2022 13:27
@jasperfurniss jasperfurniss merged commit 27d16fb into master Sep 20, 2022
@jasperfurniss jasperfurniss deleted the renovate/npm-moment-timezone-vulnerability branch September 20, 2022 15:07
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@thestephenmarshall thestephenmarshall thestephenmarshall approved these changes

Assignees
No one assigned
Labels
improvement This is used when your PR contains library upgrades or doc/site improvements. (USED IN CHANGELOG)) needs alpha testing Ready for Release merged to master, ready for a versioned released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@thestephenmarshall @jasperfurniss