retirejs / retire.js Goto Github PK

npm has a really big dependency tree.

Since you're just using it in resolve.js for getting node modules you could probably use https://github.com/isaacs/read-installed instead.

Stack below.

RangeError: Maximum call stack size exceeded
    at action (myApp/node_modules/retire/node_modules/findit/node_modules/seq/index.js:76:11)
    at next (myApp/node_modules/retire/node_modules/findit/node_modules/seq/index.js:208:17)
    at seqEach (myApp/node_modules/retire/node_modules/findit/node_modules/seq/index.js:213:30)
    at cb (myApp/node_modules/retire/node_modules/findit/node_modules/seq/index.js:55:24)
    at Function.<anonymous> (myApp/node_modules/retire/node_modules/findit/index.js:75:29)
    at Function.seqEach (myApp/node_modules/retire/node_modules/findit/node_modules/seq/index.js:210:38)
    at action (myApp/node_modules/retire/node_modules/findit/node_modules/seq/index.js:76:11)
    at next (myApp/node_modules/retire/node_modules/findit/node_modules/seq/index.js:208:17)
    at seqEach (myApp/node_modules/retire/node_modules/findit/node_modules/seq/index.js:213:30)
    at cb (myApp/node_modules/retire/node_modules/findit/node_modules/seq/index.js:55:24)

When I run RetireJS in a Windows environment, I'm no longer seeing any output. I know it runs to completion, because if I use the --outputformat json option, I see an empty json array.

The problem seems to occur with node-v0.12.0 on Windows (though not on Mac or Linux), and it doesn't occur with node-v0.10.36 (the previous stable version). I can also duplicate the problem with versions of 0.11 greater than or equal to v0.11.7.

The first sentence in the body at http://bekk.github.io/retire.js/ misspells plethora "pletora". I don't see a file in this repo that also has this typo - both README.md and docs/blogpost.md are fine.

Add description of CLI scanner and Chrome extension

I was wondering where do you keep the vulnerable Javascript files (used for testing).

I am building a tool that is based on retire.js 'repository.json' and would like to test most of the vulnerable libraries.

Thanks

The Dojo "filecontentreplace" signature is very close to match the official compress lib:

Signature
"filecontentreplace" : [ "/dojo.version=\\{major:([0-9]+),minor:([0-9]+),patch:([0-9]+)/$1.$2.$3/"],
[Ref]

Content from the compress lib
h.version={major:1,minor:10,patch:1
[Ref]

I suggest removing the dojo keyword and leaving .version[...]. I'm not sure about the risk of false positive by loosing this one up.

If this is just an error with how retire is called, the documentation could be updated to reflect the proper way of using retire.

 alexander@alexander-laptop  ~/Workspace/<projectname>   develop ●  retire -n    
Loading from cache: https://raw.github.com/RetireJS/retire.js/master/repository/npmrepository.json
Missing version for khan-react-components. Need to run npm install ?
Exception caught:  { '0': [TypeError: Cannot read property 'outputformat' of undefined] }
TypeError: Cannot read property 'outputformat' of undefined
    at /usr/local/lib/node_modules/retire/lib/scanner.js:47:22
    at Array.forEach (native)
    at printVulnerability (/usr/local/lib/node_modules/retire/lib/scanner.js:46:29)
    at scanDependencies (/usr/local/lib/node_modules/retire/lib/scanner.js:91:97)
    at Object.exports.scanDependencies (/usr/local/lib/node_modules/retire/lib/scanner.js:116:9)
    at EventEmitter.<anonymous> (/usr/local/lib/node_modules/retire/bin/retire:124:13)
    at EventEmitter.emit (events.js:107:17)
    at /usr/local/lib/node_modules/retire/lib/resolve.js:48:10
    at /usr/local/lib/node_modules/retire/node_modules/read-installed/read-installed.js:138:5
    at /usr/local/lib/node_modules/retire/node_modules/read-installed/read-installed.js:251:14

It seems that resolve.js requires npm module, however this is not declared in package.json

module.js:340
    throw err;
          ^
Error: Cannot find module 'npm'
    at Function.Module._resolveFilename (module.js:338:15)
    at Function.Module._load (module.js:280:25)
    at Module.require (module.js:362:17)
    at require (module.js:378:17)
    at Object.<anonymous> (myapp/node_modules/retire/lib/resolve.js:3:15)
    at Module._compile (module.js:449:26)
    at Object.Module._extensions..js (module.js:467:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Module.require (module.js:362:17)

workaround is installing npm module: npm install npm

It appears that whenever the rules are defined such that the vulnerability is fixed in between two versions, atOrAbove does not behave as expected. For example, in ember, the following rules are defined:

{ "atOrAbove" : "1.4.0-*", "below" : "1.4.0-beta.2", "info" : [ "https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4", "https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4" ] },
{ "atOrAbove" : "1.0.0-*", "below" : "1.3.1", "info" : [ "https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4", "https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4" ] },
{ "atOrAbove" : "1.2.0-*", "below" : "1.2.1", "info" : [ "https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4", "https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4" ] },
{ "atOrAbove" : "1.1.0-*", "below" : "1.1.3", "info" : [ "https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4", "https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4" ] },
{ "atOrAbove" : "1.0.0-*", "below" : "1.0.1", "info" : [ "https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4", "https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4" ] },
{ "atOrAbove" : "1.0.0-rc.1", "below" : "1.0.0-rc.1.1", "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ] },
{ "atOrAbove" : "1.0.0-rc.2", "below" : "1.0.0-rc.2.1", "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ] },
{ "atOrAbove" : "1.0.0-rc.3", "below" : "1.0.0-rc.3.1", "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ] },
{ "atOrAbove" : "1.0.0-rc.4", "below" : "1.0.0-rc.4.1", "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ] },
{ "atOrAbove" : "1.0.0-rc.5", "below" : "1.0.0-rc.5.1", "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ] },
{ "atOrAbove" : "1.0.0-rc.6", "below" : "1.0.0-rc.6.1", "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ] },
{ "below" : "0.9.7.1", "info" : [ "https://github.com/emberjs/ember.js/blob/master/CHANGELOG" ] },
{ "below" : "0.9.7", "info" : [ "https://github.com/emberjs/ember.js/issues/699" ] }

However, even though the rules state that anything above 1.1.3 have been fixed, when running retire (or grunt retire), an issue is still reported for 1.1.3.

>> ↳ ember 1.1.3 has known vulnerabilities: https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4 https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4

Perhaps its not a problem with the function, but instead the way it is specified - I am not entirely sure, I haven't had the chance to go through the code fully.

I would like to reuse the vulnerabilities list https://github.com/bekk/retire.js/blob/master/repository/jsrepository.json in a static analysis tool.

What is the license of this code? Is giving attribution enough?

Thanks

Example of libraries with known versions with vulnerabilities:

phpMyAdmin
phpBB
...

more?

When visiting https://bekk.github.io/retire.js/ in Firefox 35, I get empty tables for "JavaScript libraries" and "Node packages".

This is likely due to jQuery linked to as HTTP (instead of HTTPS):
<script src="http://code.jquery.com/jquery-1.11.0.min.js"></script>
It could be replaced with a protocol-relative URL or just https instead:
<script src="//code.jquery.com/jquery-1.11.0.min.js"></script>

Project is great, first of all. We've been using it as a piece of our code validation steps for weeks and it's been great.

Currently we're able to ignore things picked up by scanJsFile, but not scanDependancies. Will that be exemptible as well going forward or is there a reason for this?

https://twitter.com/avlidienbrunn/status/522307816460410880

"The AngularJS filecontent regex is faulty in retire.js. The pattern should be /*[ \n]+AngularJS v(§§version§§) (escaped asterix)"

Complete the readme.md in the node folder

During analyze of the project and preparing to create a grunt-plugin with @kozmic the other day, we came accross that it's probably best to refactor this so we can separate dependencies and concerns which will lead to splitting up this project into standalone browser plugins.

I couldn't find an option to output retire detected issues using a JSON output (or any other parseable format) when using the retire cli. Is there a flag that I missed? If not, it would be very helpful to have the output in JSON for automatic processing of the results.

I see paths containing jquery.js?ver=1.11.1 a lot. Although not the most reliable source, how about adding regex patterns as indicators?

Reference: https://www.ruby-lang.org/en/security/

I think it will be really useful. It might be implemented like this:

    "vulnerabilities": [{
        "below": "1.6.3",
        "info": [{
            "severity": "high",
            "urls": ["http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4969", "http://research.insecurelabs.org/jquery/test/"]
        }]
    }]

What do you think?

Hi there,

So far plupload (http://www.plupload.com) is not in your DB however it contains 2 vulns:

Before v1.5.4: SOP Bypass http://www.cvedetails.com/cve/CVE-2012-2401/
Before v1.5.5: XSS http://www.cvedetails.com/cve/CVE-2013-0237/ (details of the payload can be found there: https://github.com/wpscanteam/wpscan/wiki/WordPress-3.5-Issues#issue-3)

Example this script inclusion:

plupload.full.js:

/*1.5.2*/
(function(){var f=0,l=[],n={},j={},a={"<":"lt",">":"gt","&":"amp",'"':"quot","'":"#39"},m=/[<>&\"\']/g,b,c=window.setTimeout,d={},e;function h(){this.returnVa

Had an issue yesterday during a test, the vulnerable jQuery libs were not detected by the firefox plugin (v0.1.1)

After investigation, it seems that when the script is called with a relative url, retire does not detect it

Example (the 1.8.2 must be downloaded and put int the same directory as the test file):

test.html

<html>
  <head>
    <script type="text/javascript" src="http://code.jquery.com/jquery-1.4.2.js"></script>
    <script type="text/javascript" src="jquery-1.8.2.js"></script>
  </head>
</html>

Then open test.html with Firefox 27, only the jQuery 1.4.2 will be detected as vulnerable

You wrote:

vulnerabilites

(missing an "i")... it should say:

vulnerabilities

Major bug, huh? :)

Would be nice to have an option to ignore modules from devDependencies, since for most projects, these won't be used in production.

pablo@eulogia:~/tools/retire.js/addon-sdk-1.16$ source bin/activate
Welcome to the Add-on SDK. For the docs, visit 
https://addons.mozilla.org/en-US/developers/docs/sdk/latest/
(addon-sdk-1.16)pablo@eulogia:~/tools/retire.js/addon-sdk-1.16$ cd ..
(addon-sdk-1.16)pablo@eulogia:~/tools/retire.js$ ./fx.sh test
./fx.sh: 28: ./fx.sh: Syntax error: "(" unexpected
(addon-sdk-1.16)pablo@eulogia:~/tools/retire.js$ sh fx.sh test
fx.sh: 28: fx.sh: Syntax error: "(" unexpected
(addon-sdk-1.16)pablo@eulogia:~/tools/retire.js$ bash fx.sh test
Using binary at '/usr/bin/firefox'.
Using profile at '/tmp/tmpsvo0jn.mozrunner'.
...

Ubuntu 12.04 LTS

When the jQuery library doesn't have the version in its filename (e.g query-1.8.3.js), the plugin fails to detect it (even if the version is present in the file: /*! jQuery v1.8.3 jquery.com | jquery.org/license */)

I often use the following tricks to get the version in the Web Developer Console (when the version is not in the source of the file nor in the filename):

# jQuery version, $() is not used to also get older version)
jQuery().jquery

# jQuery UI
jQuery.ui.version

Might be useful to implement those in the FF plugin :)

The symlink fra node/lib/retire.js to chrome/js/retire.js does not work on Windows, or atleast I couldn't manage to get it working. Any tips?

By default running retire in Windows gives the following error:

c:\code\retire.js\node\lib\retire.js:1
(function (exports, require, module, __filename, __dirname) { ../../chrome/js/
                                                              ^
SyntaxError: Unexpected token .
    at Module._compile (module.js:439:25)
    at Object.Module._extensions..js (module.js:474:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Module.require (module.js:364:17)
    at require (module.js:380:17)
    at Object.<anonymous> (c:\code\retire.js\node\bin\retire:5:17)
    at Module._compile (module.js:456:26)
    at Object.Module._extensions..js (module.js:474:10)
    at Module.load (module.js:356:32)

I tried to symlink, but couldn't make it work:

-> /c/code/retire.js (master)
$ rm node/lib/retire.js

-> /c/code/retire.js (master)
$ node --eval "require('fs').symlinkSync('chrome/js/retire.js', 'node/lib/retir
e.js', 'file')"

-> /c/code/retire.js (master)
$ node node/bin/retire

module.js:340
    throw err;
          ^
Error: Cannot find module '../lib/retire'
    at Function.Module._resolveFilename (module.js:338:15)
    at Function.Module._load (module.js:280:25)
    at Module.require (module.js:364:17)
    at require (module.js:380:17)
    at Object.<anonymous> (c:\code\retire.js\node\bin\retire:5:17)
    at Module._compile (module.js:456:26)
    at Object.Module._extensions..js (module.js:474:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Function.Module.runMain (module.js:497:10)

When I visit e.g github.com, I get the error message below.

Is it possible to add an exclude urls list in the preferences or in a dropdown from the icon?

"atOrAbove": "1.6.0-rc.1", "below" : "1.6.0-rc.1.1"

Why isn't this just semver notation?

>=1.6.0-rc.1 <1.6.0-rc.1.1

You could then use node-semver semver.satisfies() for your checks.

When using this, I come across vulnerabilities in libraries which are not applicable for whatever reason, and which I want to exclude.

Currently (according to my understanding) I have to ignore whole modules in the ignore file, no matter what includes them and no matter what vulnerabilities they contain.

A better approach would be to use something more like this:

retireignore.json:

[
   {
      "library": "jsLib",
      "version": "0.3.5",
      "includedBy": "topParentNpmModule",
      "vulnId": [ "CVE123", "CVE456" ]
   },...
]

With "library" being the only required field.

Note that this would require each vulnerability mentioned in the json repositories to have a unique identifier, but it would be more.

Hello,

I am using retire.js as part of our CI suite and we have just encountered a failing build due to the issue below, it seems that in https://github.com/bekk/retire.js/blob/master/node/lib/repo.js the request to the repo encounted an error, maybe github was down for a moment, and in turn threw this exception.

A fix could be to handle any failing downloads and return a non-zero exit code. I guess this also would be fixed by #26.

Downloading https://raw.github.com/bekk/retire.js/master/repository/jsrepository.json ...
Downloading https://raw.github.com/bekk/retire.js/master/repository/npmrepository.json ...

TypeError: Cannot call method 'replace' of undefined
    at Object.exports.replaceVersion [as process] ([redacted]/node_modules/retire/lib/retire.js:87:26)
    at Request._callback ([redacted]/node_modules/retire/lib/repo.js:20:42)
    at self.callback ([redacted]/node_modules/retire/node_modules/request/request.js:129:22)
    at Request.EventEmitter.emit (events.js:95:17)
    at ClientRequest.self.clientErrorHandler ([redacted]/node_modules/retire/node_modules/request/request.js:239:10)
    at ClientRequest.EventEmitter.emit (events.js:95:17)
    at CleartextStream.socketErrorListener (http.js:1547:9)
    at CleartextStream.EventEmitter.emit (events.js:95:17)
    at Socket.onerror (tls.js:1437:17)
    at Socket.EventEmitter.emit (events.js:117:20)

First of all, congratulations for the amazing initiative. This project rocks! :-)

Based on my understanding from the docs, the source of vulnerabilities is a manually maintained JSON file in your GitHub repository that was created by looking through release notes and issue trackers for the most common frameworks...

That seems to me like a lot of work both for the Retire.js project contributors, who have to manually hunt the vulnerabilities in release notes, and for project owners who have to submit vulnerability information through pull requests after they had already done the write up in the release notes... (which generates more work for contributors who will also have to validate and merged these pull requests).

I am just wondering if it wouldn't make it easier for everybody (and also help the retire.js project to take off) if the vulnerability information was decentralized, and stored perhaps inside the package.json file of the project (or maybe a new retire.json file also located in the root of the project, in a similar approach to what Bower and Grunt currently do)?

If done this way, project owners could maintain this information themselves (possibly even automating the task by having their bug-track software automatically write the .json file), and projects such as NPM and Bower would be able to easily integrate Retire.js and do something useful such as displaying warnings to the users and optionally prevent installation/update of project versions with vulnerabilities.

Just food for thought...

Hi

At the moment the regular expressions in jsrepository.js - "dont check"/extractors seems to only match http schemes. Is this intentional?

If not, I suggest that the expressions should match https too as pages served with SSL will most likely fetch https:// resources.
Modern browsers will not fetch http resources if the page is served with SSL (mixed content)

https://developer.mozilla.org/en-US/docs/Security/MixedContent

Maybe something like this would be sufficient,

"//www.google-analytics.com/ga.js"

Many frontend libraries exist as node modules in the npm registry. We should port all such dependencies in from jsrepository to npmrepository

Problem with UTF-8

I feel that we should refactor bin/retire to contain less logic, and update lib/retire to expose the API better. Thoughts?

retire.js detects YUI 2.9.0 as being vulnerable to CVE-2010-4710

However, by looking at the CVE details and the YUI ticket, the 2.9.0 is not affected by this (in fact this version fixes the issue ;p)

The libs detected by retire.js were the following ones:

• yui/resize/resize-min.js?v=2.9.0
• yui/calendar/calendar-min.js?v=2.9.0

Edit: I am using the Firefox add-on v0.1.1 :)

http://blog.kotowicz.net/2013/10/exploiting-easyxdm-part-2-considered.html

I have been using the retire.js extension with Burp Suite and noticed and issue with the jquery-ui-autocomplete audit. You are referencing a vulnerable version of jquery-ui-autocomplete via http://bugs.jqueryui.com/ticket/8859. However, if you view the ticket #8859, the vulnerability is with the jquery website itself, not the javascript file. It may be a typo referencing a different issue/ticket # but 8859 refers to a vulnerability with the jquery website itself. Unless I'm totally off then ignore me and my bad :)

I am guessing this could be a regression of Bug #44 due to 652790b but reporting as a new one anyway.

retire.js/node/lib/retire.js has a weird character on line 69 (or 70).

result.vulnerabilities = unique((result.vulnerabilities || []).concat(vulns[i].info));

This seems to break the Chrome extension.

For use in blog post

Anyone got a gulp-plugin for retire? If not, when can we see it? Could make one myself, but don't got much time at the moment :/

Adding this here for book keeping,

Testing for log count in the devtools web console fails in Firefox 26 (to be released on Week of December 10, 2013).

in firefox/test/test-addon.js -> test_thereShouldBeSixEntriesInWebConsoleLog,
the CSS selector used for counting nodes in panel.hud.outputNode.querySelectorAll(securityNodeSelector) should be changed from:

".webconsole-msg-security" to this ".webconsole-msg-security, [category=security]"

The reason is that the web console's hud ui is undergoing a complete rewrite[1] and the entries in output node has changed.

The new selector will give the same result in versions before and after v26
The first selector can be removed later as it will not be in use after the release.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=778766

Passively scan js-files flying by and report.

Use this as inspiration: https://code.google.com/p/zap-extensions/wiki/AddOn_techDetection

See here for how to get it into the ZAP marketplace: http://code.google.com/p/zaproxy/wiki/RelatedProjects

Hi,
I am building a plugin that integrate retire.js repository to report issue in Burp Suite and ZAP.
It is basically a "re-implementation" in Java.

My request would be to have a link at the end of the README for reference to the following project.

https://github.com/h3xstream/burp-retire-js

Cheers