npm audit - Critical Package Issue

[SethArchambault]

On the tile server, we're getting a critical package issue, that comes from:
nodetiles-core -> canvas -> minimist.

Upgrading canvas here should fix the issue.

More details on the issues with minimist:
GHSA-xvch-5gv4-984h

[email protected]
node_modules/minimist
  minimist@"^1.2.5" from [email protected]
  node_modules/mkdirp
    mkdirp@"^0.5.1" from [email protected]
    node_modules/node-pre-gyp
      node-pre-gyp@"^0.11.0" from [email protected]
      node_modules/nodetiles-core/node_modules/canvas
        canvas@"2.6.0" from [email protected]
        node_modules/nodetiles-core
          nodetiles-core@"github:loveland/nodetiles-core#master" from the root project
    mkdirp@"^0.5.5" from [email protected]
    node_modules/node-pre-gyp/node_modules/tar
      tar@"^4" from [email protected]
      node_modules/node-pre-gyp
        node-pre-gyp@"^0.11.0" from [email protected]
        node_modules/nodetiles-core/node_modules/canvas
          canvas@"2.6.0" from [email protected]
          node_modules/nodetiles-core
            nodetiles-core@"github:loveland/nodetiles-core#master" from the root project
  minimist@"^1.2.0" from [email protected]
  node_modules/rc
    rc@"^1.2.7" from [email protected]
    node_modules/node-pre-gyp
      node-pre-gyp@"^0.11.0" from [email protected]
      node_modules/nodetiles-core/node_modules/canvas
        canvas@"2.6.0" from [email protected]
        node_modules/nodetiles-core
          nodetiles-core@"github:loveland/nodetiles-core#master" from the root project

[SethArchambault]

• Investigate js-yaml
• Investigate minimatch (looks like it's in canvas)
• Investigate semver
• Investigate tar (looks like its in canvas)
• Investigate yargs-parser

carto

The carto project is archived, we'll need something to replace it to resolve these 3 high severity issues.

current: 1.2.0

Causes:

js-yaml  <=3.13.0
Severity: high
Denial of Service in js-yaml - https://github.com/advisories/GHSA-2pr6-76vf-7546
Code Injection in js-yaml - https://github.com/advisories/GHSA-8j8c-7jfh-h6hx
No fix available

ansi-regex  3.0.0
Severity: high
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`

braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg

semver  <5.7.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw

yargs-parser  6.0.0 - 13.1.1
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp

canvas

• Upgrade canvas (for minimist and maybe others)

Made the upgrade:

• "canvas": "2.6.0",

• "canvas": "2.11.2",

No breaking code changes according to the docs: https://github.com/Automattic/node-canvas/blob/master/CHANGELOG.md

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3

tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36

minimist  1.0.0 - 1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h

[SethArchambault]

After upgrading canvas:

js-yaml  <=3.13.0
Severity: high
Denial of Service in js-yaml - https://github.com/advisories/GHSA-2pr6-76vf-7546
Code Injection in js-yaml - https://github.com/advisories/GHSA-8j8c-7jfh-h6hx
fix available via `npm audit fix`
node_modules/carto/node_modules/js-yaml

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
No fix available
node_modules/request
  coveralls  *
  Depends on vulnerable versions of request
  node_modules/coveralls

semver  <5.7.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/semver
  carto  >=0.17.2
  Depends on vulnerable versions of js-yaml
  Depends on vulnerable versions of semver
  Depends on vulnerable versions of yargs
  node_modules/carto

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
No fix available
node_modules/tough-cookie

yargs-parser  6.0.0 - 13.1.1
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/carto/node_modules/yargs-parser
  yargs  8.0.0-candidate.0 - 12.0.5
  Depends on vulnerable versions of yargs-parser
  node_modules/carto/node_modules/yargs

8 vulnerabilities (7 moderate, 1 high)

---

Here's those same issues organized:

Caused by Carto:

js-yaml  <=3.13.0
Severity: high
Denial of Service in js-yaml - https://github.com/advisories/GHSA-2pr6-76vf-7546
Code Injection in js-yaml - https://github.com/advisories/GHSA-8j8c-7jfh-h6hx
fix available via `npm audit fix`
node_modules/carto/node_modules/js-yaml

semver  <5.7.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw

yargs-parser  6.0.0 - 13.1.1
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp

Caused by dev package coveralls:

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
No fix available
node_modules/tough-cookie

[SethArchambault]

@quidquid @brambow

So I think we have two paths ahead.

1. Fork the carto project, and upgrade the needed dependencies there as a temporary solution to addressing security issues found in npm audit.
2. Switch away from nodetiles-core now.

Either way, given the abandoned status of nodetiles-core and it's dependency "carto", we'll want to move away from nodetiles-core for security purposes at some point, but I figured it might be a good time to discuss if we want to spending some constrained time attempting that now.

I see that nodetiles-core is only used these three functions on the tileserver:

    var bounds = nodetiles.projector.util.tileToMeters(opts.x, opts.y, opts.z)
        // Project the data
    // nodetiles wants it in 900913, no matter what the source code looks like.
    // Don't use anything fancy here! The overhead of projecting a lot of
    // features is significant.
    var i
    for (i = 0; i < features.length; i++) {
      // console.log(features[i]);
      features[i] = nodetiles.projector.project.Feature(
        'EPSG:4326',
        'EPSG:900913',
        features[i]
      )
    }
    // Set up the map
    var map = new nodetiles.Map({
      projection:   'EPSG:4326',
      boundsBuffer: tileBuffer,
    })

Looks like we use it for generating pngs and json for parcels, and for generating png, json, debug, and geojson for blexts.

Not sure if something like this could be a replacement:
https://github.com/maptiler/tileserver-gl

Or can we use Mapnik to do this?
https://github.com/pocketIlmatto/mapnik_node_tile_server

Not having done this type of tileserver work before, I'm not sure how much of lift this could be, but wanted to check in at this point to see what ya'll think. Thanks!

[SethArchambault]

Related issue: https://github.com/loveland/tiles/issues/662

[brambow]

Thanks for digging in @SethArchambault! I'm pretty hesitant to dive into replacing the carto module at this point in time, although it'd be good to get a task into the backlog to specifically dive into carto / nodetiles-core. I believe this package (carto) is responsible for parsing the raster style definitions sent as part of tile requests and converting them to the right format for the server rendering.
The main driver behind the current efforts are for SOC2 tracking purposes, and I think we can legitimately say we need more time to research this one.

[SethArchambault]

Summing up offline convo with Bates:

Option 2 isn't a viable short term option because we don't know that there is a replacement for nodetiles-core that allows the functionality we need (map styles in the CartoCSS language, + more). TileserverGL doesn't support live db connections, just mbtiles and pmtimes. Mapnik is already in our project, but doesn't support the CartoCSS language without carto also.
CartoCSS is essential because it's a format that clients use for querying, so must have a 1-to-1 replacement.

Option 1 is okay, but it's also creating a fork for a dependency of something we've already forked. (@quidquid: thoughts on forking?) Not sure the threat rises to the level of necessity for short-term action.

Would prefer to figure out #2, but there are other roadmap items that will take priority in the immediate future, so we can backlog that.