Formidable CVE #4
Comments
|
At a glance, seemed to be safe to upgrade to 3.x. |
|
How weird, Snyk doesn't show anything. Is this a brand new vuln or something? Formidable v3 is a complete ground-up rewrite. There are bound to be issues. What is the vuln anyway? Is there a link to it? How severe is it? |
|
If this is a brand new vuln, I'd like to give the Formidable people some time to address it before taking any drastic actions. They still support v2 currently. v3 has some nasty open issues, for e.g. node-formidable/formidable#958 |
|
I get it during "npm install" |
|
This vuln is over 2 years old. Why is it suddenly popping up for you now? Do you have a strange package-lock.json file that is downgrading things? I cannot make heads or tails of this. Here's a whole thread on it, linked from the GHSA issue you pasted: |
|
Awesome article defending the security of Formidable: https://gitlab.com/keymandll/blog/-/blob/master/posts/03062022-Invulnerability_Analysis-CVE-2022%E2%80%9329622/index.md I think this vuln is garbage, personally. Plus, I NEVER allow uploaded files to be named via their CLIENT filenames. That is just asking for trouble. I always generate my own unique filenames across all my apps. |
|
I just forced Snyk to re-test the repo. It still can't find any vulns. I am flummoxed!
|
|
Nah, just pop-up today during install. Not sure why, maybe it was added to npm db just now. |
|
Yeah, I'm going to wait and see what happens. It's very odd that NPM is suddenly reporting a 2-year-old vulnerability, and that Snyk can't even see it.
Yup! Someday I may upgrade to Formidable v3, but I have SO many apps using pixl-server-web that it would be a huge deal to swap out a supporting library like that. One thing is that I expose the underlying Formidable uploaded file objects to apps using pixl-server-web, so they are relying on the exact API and structure of those objects. I'd have to make sure that v3 does everything EXACTLY the same way as v2, or maybe build some kind of translation layer. It would take a lot of testing. I do have unit tests, but they don't cover Formidable. |
|
Ah, the dependabot PR just arrived: #5 I'll start taking a closer look at this soon. |
|
Yeah, looks like they updated their CVE DB indeed, I also got some bot opened issue on github today. I guess we can give a try to 3.x. I'll try test it on my end |
|
Fixed in v1.3.30. They did break the API in formidable v3, alas. Everything appears to be wrapped in an array now. I have to intercept it and convert things back to v1 style. I added unit tests to make sure it's all working exactly the same as formidable v2. I'll bump Cronicle with this release in a few minutes. Thanks for bringing this to my attention! |
npm is now yelling about some critical vuln of formidable. I see this repo is using 2.x. Did you try 3.x yet? The other option is to downgrade.
The text was updated successfully, but these errors were encountered: