| ▲ | Gigachad 5 hours ago |
| I'm getting CVE fatigue with all of these super ultra critical 10/10 vulnerabilities that are some node package that compiles my frontend can get stuck if I give it a malicious regex. It's hard to spot the stuff that actually matters. |
|
| ▲ | jamesfinlayson 3 hours ago | parent | next [-] |
| Yep. I remember years ago seeing the website for some guy who proudly listed all the CVEs he'd discovered. Clearly he'd written some scanning tool to look at regexes in open source projects and was creating CVEs for anything that might result in exponential time execution or whatever. |
| |
| ▲ | gorgoiler an hour ago | parent | next [-] | | It sounds like an interesting case study. Do these things get reported with a patch?: (a) add a new function that does regular expressions searching / matching with a resource checker (eg a timer); (b) write a local linter that reports an error for any use of the builtin regular expression tools; (c) fix all the lint warnings; (d) commit the linter. | | |
| ▲ | edelbitter an hour ago | parent | next [-] | | This stuff has been brewing for years, but since technically you could fix all instances with minimal StackOverflow downtime [1] and a slightly different pattern, few people worked on either using engines with data structures less prone to the worst case or adding the generic workarounds for those that have them. e.g. in cPython, until 3.11, there was no support for atomic grouping (roughly translation: "never backtrack inside of this expression"). There is little useful advice a linter can give, if there is no predictable-runtime way to express what you want within a single match step, because you really do want to unwind the stack and check for repeats (just without any of the exponential runtime stuff, please). [1]: https://meta.stackoverflow.com/questions/328376/why-does-sta... | |
| ▲ | jamesfinlayson an hour ago | parent | prev [-] | | No I think he was just looking to raise his profile, not to help. |
| |
| ▲ | tryauuum an hour ago | parent | prev [-] | | That's a real issue, took cloudflare down once... | | |
| ▲ | swiftcoder a few seconds ago | parent [-] | | It's only a real issue if it is in runtime code that parses untrusted input. 99% of the regex lints/CVEs that get flagged our way are in build-time code. |
|
|
|
| ▲ | themanmaran 4 hours ago | parent | prev | next [-] |
| Seriously. We got 116 github dependabot alerts this week. Half of them for dev dependencies. |
| |
| ▲ | jamesfinlayson 3 hours ago | parent [-] | | I tried to raise that with my internal security team recently - don't clutter my vulnerability dashboard with issues in dev dependencies. They somewhat rightly pointed out that malware needs to be dealt even if it's a dev dependency. So my suggestion went nowhere because I guess we can't filter by type of vulnerability. | | |
| ▲ | funciton a few seconds ago | parent | next [-] | | Developer's machines are high value targets. They were absolutely right to point that out. | |
| ▲ | Quothling 2 hours ago | parent | prev | next [-] | | Working in the EU energy sector where we have to work with NIS2 compliance, I'd argue that your security team rightly pointed it out. I suspect that's what you mean though, and the rightly is just there because you agree with it but don't like it. We work with even more tight dependencies policies than just having alerts. We have a set of pre-approved and yearly vetted packages, like pandas or pyarrow for Python data work. Aside from that we have some isolated development environments where your pipeline can get access to something like SQLC for Go. Which is essentially where your dev dependency lives in it's own environment where it can produce the code it needs to and then submit it for approval into your regular dev environment. Ironically we'd probably need to run Dependabot itself in a mirrored environment since it too has external dependencies we'd probably not want to vet. I do think external dependencies are among our biggest security threats though. It's so hard to vet them, and compliance basically comes down to "We trust the apache software foundation enough, and pyarrow is vital to our business, so we accept the risks", and then you lock versions and aren't the first to update except for vulnerabilities. Shadow AI is obviously the number one security threat right now, especially in enterprise with people who are very tech savvy. This makes dependencies so much worse though, because now everyone can (if their systems aren't locked down tight) do so many crazy things. Both with the "non-sanctioned" AI but also with the code it can generate for them. | | |
| ▲ | jamesfinlayson an hour ago | parent [-] | | Yeah I completely understand their intent, but I might get 30 vulnerabilities across a multiple repos flagged in a week. It is already tedious to check them all and assess if they're worth worrying about let alone having to update them. These are 99% Javascript though - I suspect other ecosystems are much more manageable. | | |
| ▲ | Gigachad an hour ago | parent [-] | | It's easier to keep stuff up to date these days. If you have a project with typescript, unit tests, and end to end tests like cypress you can just have dependabot create the PRs to update packages. If everything passes you just have to hit the merge button. Just updating everything is probably easier than assessing if it's possible to trigger an exploit with the way you use the package. | | |
| ▲ | Maxion 39 minutes ago | parent | next [-] | | Yep this is what has happened to small teams. You really only have time to approve the dependabot changes and go go go. Otherwise you'll never get anything productive done. The other option is to simply ignore updates and do them on a schedule, e.g. once every 1-2 months. | |
| ▲ | froddd an hour ago | parent | prev [-] | | This is exactly how developers of malware want you to behave. Update without really thinking about it. I do wonder how long it will take before an attack is developed by submitting a semi-genuine vulnerability, shortly followed by a ‘fix’ including malicious code. |
|
|
| |
| ▲ | SkiFire13 10 minutes ago | parent | prev | next [-] | | Everyone talking about malware in dev dependencies as if dependabot only raises issues about that, but it does not. It raises warnings about all sort of "vulnerabilities" irrespective of the threat model. Even worse, it incentivizes randomly updating dependencies, which is what actually allows supply chain attacks. | |
| ▲ | WD-42 40 minutes ago | parent | prev | next [-] | | A lot of the recent npm attacks have been exfiltration from dev machines, which would just as likely from dev dependencies. | |
| ▲ | zmgsabst 2 hours ago | parent | prev [-] | | Dev dependencies is how they compromised SolarWinds and thereby most of the US federal government. > The attackers used a supply chain attack. The attackers accessed the build system belonging to the software company SolarWinds, possibly via SolarWinds's Microsoft Office 365 account, which had also been compromised at some point. SolarWinds was using build management and continuous integration server TeamCity provided by the Czech company JetBrains. In 2021 The New York Times stated that unknown parties apparently embedded malware in JetBrains' software and through this way compromised also SolarWinds. https://en.wikipedia.org/wiki/2020_United_States_federal_gov... I don’t know what kind of software you write, how valuable your company’s infrastructure is, etc. But supply chain and insider threat in security/infrastructure is a big topic — that I’m sure they’re concerned about because that’s their area of responsibility. Even if I’m personally sympathetic to not wanting to deal with the churn of dev dependency updates. | | |
| ▲ | tempay 2 hours ago | parent | next [-] | | This is very real, but such CVEs are such a tiny fraction in relation to denial-of-service-due-to-regex that it’s hard to take the system seriously. So far as I’m concerned the solution is to isolate everything as much as possible. I’d love to see something on the CVE classification side to also address the signal to noise problem but I don’t see it happening. | | |
| ▲ | Maxion 37 minutes ago | parent | next [-] | | These DoS Regex 10/10 CVEs in some minor helper function in some package that is used once in some random side code pathway are so damn annoying. If I could filter out DoS CVEs‚ I would. | |
| ▲ | jamesfinlayson an hour ago | parent | prev [-] | | Pretty much - I don't know too much about the CVE process but if ReDoS stuff was flagged at the CVE level as "exploitable only with unconstrained inputs" then great - I know my tests have sane inputs, so I'll close thanks. |
| |
| ▲ | technion 34 minutes ago | parent | prev [-] | | Vulnerable dependencies are very different to compromised or backdoored dependencies though. Noone's taking over Solarwinds because their build tools had a ReDOS involving input from their own config files. |
|
|
|
|
| ▲ | WD-42 an hour ago | parent | prev | next [-] |
| Time to start banning those that submit fake or superficial reports. Maybe with enough bans these people will start actually reading their own vulnerabilities. |
|
| ▲ | nikanj an hour ago | parent | prev | next [-] |
| CVE 10 if you use you current version of Python to serve files over ftp, and parse the incoming files using the most obscure file type found in the forbidden libraries of the Vatican And your ISO etc certificates make this CVE mandatory priority 1 action point |
| |
| ▲ | edelbitter an hour ago | parent [-] | | I think this one has more to do with excessive dependencies, and lack of splitting into individually installable packages and/or static linking. I have already avoided having to evaluate whether I am affected by some issue because I added patches at startup that crash before certain unused-yet-installed modules are to be loaded.
Also, for those Python packages that still have a pure version that defers to stdlib and a separate muh-performance binary option with statically linked dependencies, I can generally just install the former and skip the version bumps for dependencies. The performance advantage may be negligible or negative outside of benchmarking 100k calls.. of code actually called 11 times a day, on a non-critical path. |
|
|
| ▲ | teaearlgraycold 4 hours ago | parent | prev | next [-] |
| Not sure what dumbass out there is marking those as 10/10. A 10 should be an auth bypass or RCE. Not a crashed build in my CI. |
|
| ▲ | iririririr an hour ago | parent | prev | next [-] |
| we killed the curators. (besides cve, nist, et al drop in criteria) searching for an indepth analisys, you find one million (after scrolling the Ai summary) results that are either copy-pastrle or Ai rewording of the cve announcement. ...and don't get me started on the proofs that stop after smelling the attack vector. you can't evaluate if your setup is DoSable at most or full remote shell. there's still tons of good analisys and reports. but the noise.... |
|
| ▲ | stackghost 2 hours ago | parent | prev | next [-] |
| The common thread of late really seems to be the node ecosystem |
|
| ▲ | dirkc 5 minutes ago | parent | prev [-] |
| [dead] |
