Problem/Motivation
WS-2018-0072 high severity
Vulnerable versions: < 2.2.0
Patched version: 2.2.0
Versions of https-proxy-agent before 2.2.0 are vulnerable to a denial of service. This is due to unsanitized options (proxy.auth) being passed to Buffer().
As per @lauriii this can be fixed publically.
it could be public because it only affects our development tooling, and it’s also already public information since its in a 3rd party dependency
Proposed resolution
Update the yarn package.
Remaining tasks
Create a patch
User interface changes
N/A
API changes
N/A
Data model changes
N/A
Release notes snippet
Updated nightwatch to version 1.2.1
Updated chromedriver to version 75.1.0
Updated stylelint-no-browser-hacks to 1.2.1
Comment | File | Size | Author |
---|---|---|---|
#51 | 3059356-51.patch | 250.03 KB | finnsky |
Comments
Comment #2
jibranTo update the
https-proxy-agent
to2.2.0
, we have to update nightwatch to latest version. Here is the patch.Comment #3
jibranSo nightwatch is broken.
Comment #4
jibranComment #5
cilefen CreditAttribution: cilefen as a volunteer commentedComment #6
klausiWe should update all vulnerable packages:
19 vulnerabilities found - Packages audited: 9037
Severity: 3 Low | 7 Moderate | 8 High | 1 Critical
Comment #7
klausiOk, the globals.js error from above can be fixed, now I get a different error:
So 2 problems: Page objects test page is broken and the database connection does not work for some reason.
Here is patch without the long yarn.lock changes, but should update it if you run yarn.install.
Comment #8
klausiOK, so I was able to "fix" those 2.
The first problem is because of https://github.com/nightwatchjs/nightwatch/issues/1969 (I think), so I simplified the command parameter to just a bool and then it works.
The second problem is that whatever object we are storing some settings on is resetting our drupalDbPrefix and drupalSitePath variables. I could not find Nightwatch documentation how you pass around dynamic settings during test runs, so I just decided to slap them on as global variables. I guess that is not good, would love some ideas how this should be done properly.
With this patch we are down to yarn audit: 11 vulnerabilities found - Packages audited: 9023
Severity: 2 Low | 6 Moderate | 3 High
At least Nightwatch, chromedriver and dependencies are updated with this. The remaining problems are stylelint, eslint that we need to upgrade.
Also adding a patch without the lock file changes for easier review.
Comment #9
klausiYay, nightwatch tests are passing!
Here is a yarn update for the other vulnerable packages (eslint and dependencies), no other changes. Let's see if this runs eslint correctly and does not break.
So we still have the global JS settings nightwatch problem in this patch, otherwise we should be ready.
You can still review the nolock.txt patch from before, this is only yarn.lock changes.
Comment #10
jibranGreat work! Thanks, for making it green.
This is the only concerning change for me. Rest of the code changes looks fine to me. I'll ping in #2976593: Prefix Nightwatch commands with a "drupal" namespace.
Comment #11
joaogarin CreditAttribution: joaogarin at jobiqo - job board technology commented"This is the only concerning change for me" thats also the same thing I notice here. It looks as if its changing a bit how those parameters are coming in. My guess is now this is never going to be false (onlyOnError) since its being called like this :
```.drupalLogAndEnd(false);``` but then its destructuring from "false" which is not an object so will always set it to the default value.
See my attached screenshot or just paste this into google chrome console :
EDIT :
Sry I overlooked that in line 12 of drupalLogAndEnd.js the function signature did change. so yes this looks good now :+1
Comment #12
klausiThe reason I changed the function signature is https://github.com/nightwatchjs/nightwatch/issues/1969 , could not get nightwatch running otherwise.
More concerning to me is the use of global.drupalDbPrefix as global variable because I could not find out how to pass around configuration in Nightwatch. Any ideas on that?
Comment #13
justafishPatch updated slightly (and with some added documentation from having to set this up again from scratch).
Comment #14
justafishI'm going to look into the function signature change some more, as it'd be nice to avoid changing our API
some more info here: https://github.com/nightwatchjs/nightwatch/issues/2018
Comment #15
klausiOh nice, you made my global variable hack better, thanks a lot! Nightwatch tests passing on the testbot as well, yay!
Comment #16
finnsky CreditAttribution: finnsky at Skilld commented@justafish
seems issue was fixed in https://github.com/nightwatchjs/nightwatch/commit/a17ff29488a154b3d77b80...
BUT we still have error. when i debug this place:
So we need to check this https://github.com/nightwatchjs/nightwatch/commit/a17ff29488a154b3d77b80...
we need to have Utils.isObject({ onlyOnError: false }) return true.
gonna digg a bit more.
Comment #17
finnsky CreditAttribution: finnsky at Skilld commentedSent PR in nightwatch.
https://github.com/nightwatchjs/nightwatch/pull/2156
So yeah, for now we can use strings or arrays.
Comment #18
mogtofu33 CreditAttribution: mogtofu33 as a volunteer and commentedStarting with Nightwatch 1.0 Selenium Standalone Server is no longer required.
Here is a patch for removing Selenium settings in nightwatch.conf.js and replace by webdriver.
Comment #19
justafishhttps://github.com/nightwatchjs/nightwatch/pull/2156#issuecomment-515748578
> Will be merged in the next few days.
Comment #20
finnsky CreditAttribution: finnsky at Skilld commentedon nightwatch side everything merged. so this patch should be updated now. our api should be same as before update.
Comment #21
finnsky CreditAttribution: finnsky at Skilld commentedNigtwatch patch merged but we still needs to wait until npm version will be updated https://www.npmjs.com/package/nightwatch
To test patch locally you may use nightwatch from github master branch: `yarn && yarn add https://github.com/nightwatchjs/nightwatch`
1) combined config updates from previous patches.
2) didn't add any api changes.
3) updated some packages to minor versions.
4) updated chromedriver to 75.1.0
Current result:
Comment #22
finnsky CreditAttribution: finnsky at Skilld commentedComment #23
finnsky CreditAttribution: finnsky at Skilld commentedfix in npm already.
https://github.com/nightwatchjs/nightwatch/releases/tag/v1.2.1
patch should be updated with latest nightwatch version.
Comment #24
finnsky CreditAttribution: finnsky at Skilld commentedComment #25
finnsky CreditAttribution: finnsky at Skilld commentedFixed. All fine now with `yarn audit` and all tests.
Comment #26
klausiNice, thank you!
Comment #27
finnsky CreditAttribution: finnsky at Skilld commentedNot sure how to run CI tests locally. i didn't have that error using local installation. So doing blind patch based on similar issue:
https://www.drupal.org/project/drupal/issues/3073342
https://github.com/nightwatchjs/nightwatch#chromedriver
Comment #28
finnsky CreditAttribution: finnsky at Skilld commentedComment #29
finnsky CreditAttribution: finnsky at Skilld commentedSame error. seems i need to configure testbot locally
Comment #30
finnsky CreditAttribution: finnsky at Skilld commented@mogtofu33i gonna remove changes added in #18 since they aren't exactly related to this issue. and make CI fallen, i think should be added follow-up issue about it.
Comment #31
finnsky CreditAttribution: finnsky at Skilld commentedUpdated patch without chromedriver changes.
Let's see what drupal ci says. i found it totally unconfigurable locally :)
Comment #32
mogtofu33 CreditAttribution: mogtofu33 as a volunteer and commentedThe drupalci_testbot chromedriver:production image is with Google Chrome 74.0.3729.157 and chromedriver 2.38 for now. Using Selenium as webdriver.
There is a context problem for the tests, If I am drupalci_testbot:
I have a docker image with chromedriver and chrome to be used for running JS tests, this is ok until perhaps nightwatch replace functional-js tests.
But then we rely on chromedriver/chrome version from this image and we cannot set
server_path
option in nightwatch to use chromedriver frompackage.json
because chromedriver will fail from missing dependency libnss3.so which is related to the fact that chrome is not installed in the php image.If I am a dev:
I just want to run locally my nightwatch tests following instructions in core/tests/REDAME.md.
But with the current config, I need to add a
server_path
option innightwatch.conf
.My point is that the chromedriver version in package.json is not used by drupalci_testbot, so it can be "^75.1.0" and we can adpat
nightwatch.conf
for testbot and local tests.In the same manner, the
.env
is not really used by drupalci_testbot because there is some forced values set in NightwatchJS.php.To continue on a patch for this issue, as per #3073342: JavaScript tests don't work with Chromedriver 75 and higher we should still pass
{ "chromeOptions": { "w3c": false } }
to prevent failure when the testbot update to Chrome 75+.As Nightwatch doc recommend to go to webdriver I think we should switch the
nightwatch.conf
to use webdriver and local chromedriver, this is then easier for local tests.Here is a patch that should pass on ci and work locally if running with
--env local
as noted in the patched core/tests/README.mdComment #33
klausiSuper!
Given all that I think this is RTBC.
Comment #34
finnsky CreditAttribution: finnsky at Skilld commented@klausi i found one wrong part here. we need to remove dependencies part from core/package.json seems was added by yarn.
Comment #35
mogtofu33 CreditAttribution: mogtofu33 as a volunteer and commented@finnsky, here is a patch with dependencies removed and chromedriver 75+ for local tests.
Comment #36
mogtofu33 CreditAttribution: mogtofu33 as a volunteer and commentedComment #37
finnsky CreditAttribution: finnsky at Skilld commented@mogtofu33 i feel some changes should be in yarn.lock aswell
Comment #38
finnsky CreditAttribution: finnsky at Skilld commentedComment #39
finnsky CreditAttribution: finnsky at Skilld commentedargh:) chromedriver
Comment #40
finnsky CreditAttribution: finnsky at Skilld commentedComment #41
finnsky CreditAttribution: finnsky at Skilld commentedComment #42
klausiAh sorry, the dependencies entry was a good point. Let's do this game again:
Back to RTBC.
Comment #43
justafish👍👍👍
Comment #44
jibranUpdated the release notes in the IS.
Comment #45
larowlanThis is failing prettier linting that we run as part of core commit hooks - fixable?
Comment #46
finnsky CreditAttribution: finnsky at Skilld commentedUpdated with prettier fix. Since it is rtbc`ed already will mark it back.
Comment #47
finnsky CreditAttribution: finnsky at Skilld commentedComment #49
larowlanCommitted 4936a17 and pushed to 8.8.x. Thanks!
This doesn't apply to 8.7.x
Comment #50
finnsky CreditAttribution: finnsky at Skilld commentedComment #51
finnsky CreditAttribution: finnsky at Skilld commentedAdded valid patch for 8.7.x
Comment #52
finnsky CreditAttribution: finnsky at Skilld commentedComment #53
klausi* Nightwatch tests are green.
* Compared the patches, code changes have been ported correctly.
* yarn audit is clean, no security issues remaining
* yarn.lock has very minor differences for uuid-3.3.2 vs. uuid.3.3.3 and table-5.4.6 vs table-5.4.5, but I think we don't really care.
Thank you!
Comment #54
larowlanCommitted 5e87ef7 and pushed to 8.7.x. Thanks!
Comment #57
xjmThese sorts of dependency updates should go in the release notes. Thanks for writing the snippet!
Comment #58
klausiFollow-up #3118741: [Security] Update yarn dependencies to fix security issues