[Security] Vulnerability in `tar`

[asbjornh]

Do not open a PR. We appreciate the enthusiasm but the fix is more complicated than it appears. We're considering our options.

See https://www.npmjs.com/advisories/803

Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Caused by node-gyp. I guess this depends on nodejs/node-gyp#1714 being fixed first. As far as I can tell, to fix this node-sass needs to to upgrade to node-gyp@4.x.x once they've resolved the issue on their part.

Output from yarn audit:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-sass > node-gyp > tar                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/803                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 16503
Severity: 1 High

[mohsenari]

Dealing with the same issue. Tried npm update node-sass --depth 999, npm i tar --save, and npm update tar --depth 999. none of that helped updating tar for node-sass

[mohsenari]

Anyone who's looking for a temporary workaround until this gets fixed, I managed to update tar version using izogfif's answer here: https://stackoverflow.com/questions/15806152/how-do-i-override-nested-npm-dependency-versions

You need to remove tar from required section in node-gyp in package-lock.json

Then replace the version in the dependencies section in the same place and remove resolved and integrity properties from tar in dependencies:

"node-gyp": {
		"version": "3.8.0",
		"resolved": "https://registry.npmjs.org/node-gyp/-/node-gyp-3.8.0.tgz",
		"integrity": "sha512-3g8l...",
		"requires": {
			"fstream": "^1.0.0",
			"glob": "^7.0.3",
			"graceful-fs": "^4.1.2",
			"mkdirp": "^0.5.0",
			"nopt": "2 || 3",
			"npmlog": "0 || 1 || 2 || 3 || 4",
			"osenv": "0",
			"request": "^2.87.0",
			"rimraf": "2",
			"semver": "~5.3.0",
			"which": "1"
		},
		"dependencies": {
			"semver": {
				"version": "5.3.0",
				"resolved": "https://registry.npmjs.org/semver/-/semver-5.3.0.tgz",
				"integrity": "sha1-myzl..."
			},
			"tar": {
				"version": "^4.4.2"
			}
		}
},

Then delete your node_modules and run npm i
Test it with npm audit

[meszaros-lajos-gyorgy]

node-gyp updated it's tar version to the latest in this commit a few minutes ago, expecting a release soon:
nodejs/node-gyp@1456ef2

[angelocapone]

Same issue for me although I have the 4.4.8 version:
$ npm show tar version
4.4.8

[thealiano]

Same here waiting for a proper fix :)

[JarriddW]

Having same issue, waiting for a fix too :)
current tar version: 4.4.8

[asbjornh]

Same issue for me although I have the 4.4.8 version:
$ npm show tar version
4.4.8

You might have several transitive dependencies on multiple versions of tar :)

[angelocapone]

Thank you Asbjørn!

Yeah, looks like I have an "extraneous" 2.2.1 tar version:
$ npm ls tar
cartclient@1.0.0 X:\projects\cartclient
+-- node-sass@4.11.0
| -- node-gyp@3.8.0 | -- UNMET DEPENDENCY tar@^4.4.5
+-- nuxt@2.6.1
| -- @nuxt/builder@2.6.1 | -- chokidar@2.1.5
| -- UNMET OPTIONAL DEPENDENCY fsevents@1.2.7 | -- UNMET OPTIONAL DEPENDENCY node-pre-gyp@0.10.3
| -- UNMET OPTIONAL DEPENDENCY tar@4.4.8 -- tar@2.2.1 extraneous

npm ERR! extraneous: tar@2.2.1 X:\projects\cartclient\node_modules\tar
npm ERR! missing: tar@^4.4.5, required by node-gyp@3.8.0

[JarriddW]

I'm unsure how many vulnerabilities all of you would have started with, this morning I had 4.
After running npm audit fix, 3/4 of them were fixed with just tar still giving problems.
I can however build and run my apps again for anyone with a similar case.

[HarisSpahija]

Updating the package-lock.json to all use "tar": "4.4.8" worked for me

[JarriddW]

Updating the package-lock.json to all use "tar": "4.4.8" worked for me

did you manage to run an audit with no vulnerabilities?

[osushi-desushi]

package-lock.json

"version": "2.2.1",
"resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",
"integrity": "sha1-jk0qJWwOIYXGsYrWlK7JaLg8sdE=",

↓

"version": "4.4.8",
"resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
"integrity": "sha512-LzHF64s5chPQQS0IYBn9IN5h3i98c12bo4NCO7e0sGM2llXQ3p2FGC5sdENN4cTW48O915Sh+x+EXx7XW96xYQ==",

↓
rm -fr node_modules
↓
npm i
↓
npm audit
↓

=== npm audit security report ===

found 0 vulnerabilities
 in 42617 scanned packages

[JarriddW]

@osushi-desushi Your solution has worked, no vulnerabilities. Thanks a ton!

[osushi-desushi]

@JarriddW
Thanks for watching!!