SHA-1 Weak Authentication Algorithm vulnerability in dependency "request"

[aqan213]

Our customer reported a vulnerability in bluemix-autoscaling-agent caused by "request" package.
The vulnerability reports that

"The request package is vulnerable to Weak Authentication Algorithm. The function function in oauth.js uses SHA-1 for authentication which is no longer considered cryptographically secure." 

The module bluemix-autoscaling-agent uses the latest version appmetrics v5.1.1 and request 2.88.0 is a dependency of node-gyp 5.1.1 which is the dependency of appmetrics.

Here is the hierarchy of the "request" module tracking back to bluemix-autoscaling-agent.

Three instances:

"request": "^2.72.0" is required by
"ibmapm-restclient": "version": "20.8.0" is required by
ibmapm-embed": "version": "20.8.4" is reuired by
"appmetrics": "version": "5.1.1" is required by
"bluemix-autoscaling-agent": "version": "1.0.14"

"request": "^2.88.0", is required by
"node-gyp": "version": "5.1.1" is required by
"appmetrics": "version": "5.1.1", is required by
"bluemix-autoscaling-agent": "version": "1.0.14",

"request": "^2.83.0",
kubernetes-client": {
"version": "3.18.1",
"ibmapm-restclient": {
"version": "20.8.0",
……
"bluemix-autoscaling-agent": {
"version": "1.0.14"

Can you please take a look?

[mattcolegate]

Thanks for this. The solution would be to update our depenceny to a version of node-gyp that doesn't require a version of request. I notice that https://github.com/nodejs/node-gyp/blob/master/package.json still requires request at a level of ^2.88.2. Can you tell me if that version of request still has that vulnerability please?

[mattcolegate]

Acording to request/request#2640 it looks like all versions of request are vulnerable. Solution is therefore to get node-gyp to move away from request. It looks like they already have an issue open for that, nodejs/node-gyp#2047, although it's not looking hopeful. Until that is resolved, appmetrics is unable to do anything.

[aqan213]

Thanks for the response. How about the other 2 versions request from other 2 package?

"request": "^2.72.0" -->"ibmapm-restclient" --> "ibmapm-embed" --> "appmetrics"

and
"request": "^2.83.0" --> kubernetes-client" --> "ibmapm-restclient" --> "ibmapm-embed" --> "appmetrics"

[mattcolegate]

Best handled by raising issues on https://github.com/IBM/node-ibmapm-restclient and https://github.com/godaddy/kubernetes-client

[donacarr]

Hi @mattcolegate , it seems like nodejs/node-gyp#2220 solved issue nodejs/node-gyp#2047 migrating requests to fetch.
When do you plan to use the nodejs version containing the fix ?

[mattcolegate]

Hi @donacarr, looks like this is going into node-gyp v8.0.0 nodejs/node-gyp#2346 - when that version releases we can start looking to pull it into appmetrics