"Regular Expression Denial of Service" security issues on dependencies

[c3s4r]

Issue Description

Running nsp check using parse-server 2.6.3 launches "Regular Expression Denial of Service" security warnings.

Steps to reproduce

Create a new express application with the parse-server dependency
Add nsp dependency
Run nsp check

Expected Results

Not to show any security warning.

Actual Outcome

The following warnings are displayed:

Regular Expression Denial of Service
@0.0.1 > parse-server@2.6.3 > mime@1.4.0
https://nodesecurity.io/advisories/535

Regular Expression Denial of Service
@0.0.1 > parse-server@2.6.3 > express@4.15.3 > send@0.15.3 > mime@1.3.4
https://nodesecurity.io/advisories/535

Regular Expression Denial of Service
@0.0.1 > parse-server@2.6.3 > express@4.15.3 > fresh@0.5.0
https://nodesecurity.io/advisories/526

Regular Expression Denial of Service
@0.0.1 > parse-server@2.6.3 > express@4.15.3 > debug@2.6.7
https://nodesecurity.io/advisories/534

Regular Expression Denial of Service
@0.0.1 > parse-server@2.6.3 > parse-server-simple-mailgun-adapter@1.0.0 > mailgun-js@0.7.15 > debug@2.2.0
https://nodesecurity.io/advisories/534

Environment Setup

• Server

  • parse-server version (Be specific! Don't say 'latest'.) : 2.6.3
  • Operating System: MacOSX 10.12.6
  • Hardware: MacBookPro 2013
  • Localhost or remote server? Local

• Database

  • MongoDB version: 3.4
  • Storage engine: WiredTiger
  • Hardware: MacBookPro 2013
  • Localhost or remote server? Localhost

Logs/Trace

See above in the actual outcome.

[montymxb]

@c3s4r am I correct in saying that it looks like all the potential issues you've found are in dependent projects, rather than parse-server itself?

[c3s4r]

@montymxb yes, that's right. Anyways, since parse-server uses those modules, it will probably "inherit" the security issues. The fix should be simple: just need to upgrade the modules to their patched versions, which are:

• mime >= 2.0.3
• express >= 4.15.5

The mailgun-js dependency used in the parse-server-simple-mailgun-adapter package has also to be fixed, but it can't be upgraded because it doesn't have a published version with the fix yet (but it's fixed in their github repo, so I guess they should publish it soon).

I would also recommend to add nsp module (or similar) and add nsp check to posttest or pretest script to automatically verify that the dependencies used by the project don't have vulnerabilities.

[montymxb]

@c3s4r thanks for the recommendation! We're looking into adding this (or an equivalent like snyk) into the flow as part of our CI. This will stay open until we've settled on a solution.

[montymxb]

Closing as #4285 has been merged in to resolve this. Thanks again!