Use of software with known vulnerabilities in development
Need
Mitigation of known vulnerabilities in software and dependencies used in development
Context
- Usage of Dart 2.0 for developing high-performance, cross-platform applications
- Usage of Shelf for managing and organizing data in a Node.js application
- Usage of shelf_io for managing and organizing data storage in Node.js
- Usage of shelf_router for routing and request handling in a Shelf-based web application
- Usage of shelf_static for serving static files with Shelf framework
Description
Non compliant code
import 'package:shelf/shelf.dart' as shelf;
import 'package:shelf/shelf_io.dart' as io;
import 'package:shelf_router/shelf_router.dart';
import 'package:shelf_static/shelf_static.dart';
void main() {
var app = Router();
// Known vulnerable package version
var handler = createStaticHandler('public',
defaultDocument: 'index.html',
listDirectories: true);
app.mount('/', handler);
var server = io.serve(app, 'localhost', 8080);
server.then((value) => print('Server started on port ${value.port}'));
}
The above code demonstrates a Dart backend application using the Shelf framework. The application is set up to serve static files from a 'public' directory.
The vulnerability lies in the use of a version of the shelf_static package that is known to have security issues. The createStaticHandler function from shelf_static is used to serve static files. If the version of shelf_static used in this code contains known vulnerabilities, it can expose the application to potential security risks.
For instance, a known vulnerability in a specific version might allow unauthorized file access, path traversal, or remote code execution. By continuing to use this version in a pre-production environment, you run the risk of these vulnerabilities being exploited, leading to potential data leakage, system compromise, or other security incidents.
It is crucial to always use the latest and most secure versions of all dependencies and to regularly check for and apply updates. This includes not only the direct dependencies you use in your code, but also any indirect dependencies they may rely on.
Steps
- Identify the software or dependencies with known vulnerabilities. In this case, it's the 'shelf_static' package.
- Check the version of the vulnerable software or dependency being used. This can be found in the 'pubspec.yaml' file in Dart projects.
- Research the latest stable version of the software or dependency that has addressed the known vulnerabilities. This can be done by checking the official documentation or the package's page on pub.dev.
- Update the vulnerable software or dependency to the latest stable version that has fixed the known vulnerabilities. This is done by updating the version number in the 'pubspec.yaml' file and running 'pub get' to fetch the updated package.
- Test the application after updating the software or dependency to ensure it still works as expected. This can be done by running the application's test suite, if one exists, or manually testing the application's functionality.
- Regularly check for updates to the software or dependencies used in the project. This can be done by subscribing to security mailing lists, using automated dependency checkers, or regularly visiting the official documentation or package pages.
Compliant code
import 'package:shelf/shelf.dart' as shelf;
import 'package:shelf/shelf_io.dart' as io;
import 'package:shelf_router/shelf_router.dart';
import 'package:shelf_static/shelf_static.dart';
void main() {
var app = Router();
// Updated package version
var handler = createStaticHandler('public',
defaultDocument: 'index.html',
listDirectories: true);
app.mount('/', handler);
var server = io.serve(app, 'localhost', 8080);
server.then((value) => print('Server started on port ${value.port}'));
}
The original code was using a known vulnerable version of the 'shelf_static' package. This package is used to serve static files in a Dart backend application using the Shelf framework.
The vulnerability was fixed by updating the 'shelf_static' package to the latest stable version that has addressed the known vulnerabilities. This was done by updating the version number in the 'pubspec.yaml' file and running 'pub get' to fetch the updated package.
After updating the package, the application was tested to ensure it still works as expected. This was done by running the application's test suite, if one exists, or manually testing the application's functionality.
To prevent similar vulnerabilities in the future, it's recommended to regularly check for updates to the software or dependencies used in the project. This can be done by subscribing to security mailing lists, using automated dependency checkers, or regularly visiting the official documentation or package pages.