Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Prototype Pollution in sheetJS #2822

Open
lukewang2018 opened this issue Apr 27, 2023 · 32 comments
Open

[Security] Prototype Pollution in sheetJS #2822

lukewang2018 opened this issue Apr 27, 2023 · 32 comments

Comments

@lukewang2018
Copy link

lukewang2018 commented Apr 27, 2023

[Security] Prototype Pollution in sheetJS

GHSA-4r6h-8v6p-xvw6

Affected version: 0.19.3

Description
All versions of SheetJS CE through 0.19.2 are vulnerable to "Prototype Pollution" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.

References
https://nvd.nist.gov/vuln/detail/CVE-2023-30533
https://cdn.sheetjs.com/advisories/CVE-2023-30533
https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md

@mushishi78
Copy link

mushishi78 commented Apr 28, 2023

Am I the only one confused that it say it's fixed in 0.19.3 but the latest release of this is 0.18.5?

Ah I can see your meant to do yarn add https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz. Don't mind me. https://docs.sheetjs.com/docs/getting-started/installation/nodejs

@amorimrafael
Copy link

Hi guys,

Does anyone know if they have plans to publish this version here on github?

@invaderb
Copy link

invaderb commented May 2, 2023

+1 for an update on this?

@jimmykane
Copy link

Why is this not published to NPM ?

@Cellule
Copy link

Cellule commented May 3, 2023

As explained in the Readme, this project is no longer maintained on Github and no longer published to npm.
I don't know the reasons why, but moving forward you are supposed to install using their cdn yarn add xlsx@https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

sheetjs/README.md

Lines 3 to 16 in 5b4806b

> ## 🏠 New Home
>
> The new home for SheetJS CE is <https://git.sheetjs.com/sheetjs/sheetjs>, a
> hosted Gitea instance sponsored by SheetJS LLC. SheetJS CE remains a truly
> open source project under the Apache 2.0 License.
>
> Issues should be raised at [the new issue tracker](https://git.sheetjs.com/sheetjs/sheetjs/issues).
> Users can register directly or sign in with a valid GitHub account.
>
> [The documentation](https://docs.sheetjs.com/docs/getting-started/#installation)
> includes instructions for using the new distribution points.
>
> Legacy distribution points (including the `SheetJS/sheetjs` Git repository on
> GitHub and the `xlsx` package on npmjs.com) will not be receiving updates.

Relevant issue as to "why" they no longer publish on npm
https://git.sheetjs.com/sheetjs/sheetjs/issues/2667

I am too a little concerned about how future CVE will be reported and notify users. I feel the switch out of npm didn't take into account security concerns.

@Cellule
Copy link

Cellule commented May 3, 2023

Opened another issue on their tracker for future CVE alerting (not explicit of this particular CVE), but more a concern for the future for people switching from NPM to their CDN
https://git.sheetjs.com/sheetjs/sheetjs/issues/2935

@invaderb
Copy link

invaderb commented May 3, 2023

That really is piss poor communication on the sheetjs team's part, having it just in their docs is not a wide enough reach to everyone that uses this package, there is nothing in the github readme or on the npm page about essentially the deprecation of the package on npmjs. They should throw up a banner or a message about it, especially for a package that gets 2 million weekly downloads...

I have the same concerns especially about missing out on future security issues with this package now that we have to use the CDN to get updates. I'm also weary about using smaller CDN's, there's a reason why npmjs is the standard and will be around much longer than sheetjs

Just to note for others you don't have to use yarn to install from the CDN you can still use npm or pnpm:
npm i https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

pnpm install https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

@Snailedlt
Copy link

All the info so far

(please let me know if anything's missing, so I can edit this comment)

Update to the new CDN

npm

npm i https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

pnpm

pnpm install https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

pnpm

yarn add https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

Why you need to update

The GitHub repo and npm packages are no longer maintained due to ongoing legal matters with npm (Owned by GitHub). More info here

@dafanzhi
Copy link

I tried yarn add https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz,
image
then run npm audit, still got the vulnerabilities tips:
image

what should id do?

@Snailedlt
Copy link

@dafanzhi seems like you're using npm, and not yarn... So you should use npm install instead of yarn add

@dafanzhi
Copy link

got the same result via npm:
image

@Snailedlt
Copy link

@dafanzhi Did you uninstall the old version?

@dafanzhi
Copy link

dafanzhi commented May 24, 2023

@dafanzhi Did you uninstall the old version?

i've tried removing the old version before reinstall, but still got the same:
image

As you can see, the problem is the xlsx is already the latest version and installed without any error tips, but the node-xlsx which depends on xlsx can not be installed properly, even i specified the overrides in the package.json:
image

So, what detailed instructions should i follow to eliminate the vulnerabilities error tips for the xlsx in node-xlsx?

@knoxgon
Copy link

knoxgon commented May 26, 2023

All the info so far

(please let me know if anything's missing, so I can edit this comment)

Update to the new CDN

npm

npm i https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

pnpm

pnpm install https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

pnpm

yarn add https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

Why you need to update

The GitHub repo and npm packages are no longer maintained due to ongoing legal matters with npm (Owned by GitHub). More info here

Works Great. Thank you. Although, I wonder... Are there any breaking changes to it? I haven't found any information regarding the release notes...

@Zainzzkk
Copy link

Zainzzkk commented Jun 1, 2023

Does anyone have any other recommendations for similar packages to use instead of SheetJS? Considering the devs won't reply to us anymore, won't implement 2FA to fix this whole issue and nor will they update the npm readme with a notice of this change

@lukewang2018
Copy link
Author

@Zainzzkk you can try excel4node.

"excel4node": "^1.8.2",

https://github.com/advisr-io/excel4node

@rupeshdeotale97
Copy link

Hi team getting below error for

$ npm i https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz
npm ERR! code UNABLE_TO_GET_ISSUER_CERT_LOCALLY
npm ERR! errno UNABLE_TO_GET_ISSUER_CERT_LOCALLY
npm ERR! request to https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz failed, reason: unable to get local issuer certificate

@codeams
Copy link

codeams commented Jul 6, 2023

Does anyone have any other recommendations for similar packages to use instead of SheetJS? Considering the devs won't reply to us anymore, won't implement 2FA to fix this whole issue and nor will they update the npm readme with a notice of this change

I'm having good results with https://github.com/exceljs/exceljs

@e965
Copy link

e965 commented Aug 7, 2023

Hey, folks! I made a little tool that allows you to continue using xlsx in your projects. It checks for updates from the sheetjs selfhosted git repository every day, and if there is a new version there, it is automatically published to npm. The publishing is signed via provenance to prevent extraneous modifications to the project (unless the sheetjs developers themselves come in to sabotage everything, of course).

All code is available for audit here https://github.com/e965/sheetjs-npm-publisher

Installation into your project is also very easy:

- "xlsx": "0.18.5",
+ "xlsx": "npm:@e965/xlsx@0.20.0",

(or just install the package directly and fix all the imports in your code)

@brettwgreen
Copy link

I think the truth is they tried to commercialize this project and don't want to support the open source version anymore so they used the lamest excuse possible (NPM is forcing us to use 2FA) to break the open source delivery mechanism and try to squeeze people into using the pro version.

@LukasNemcik
Copy link

Does anyone have any other recommendations for similar packages to use instead of SheetJS? Considering the devs won't reply to us anymore, won't implement 2FA to fix this whole issue and nor will they update the npm readme with a notice of this change

I'm having good results with https://github.com/exceljs/exceljs

Exceljs is great but it have one for us important flaw - it supports just .XLSX or .CSV formats and doesn't support older .XLS files. So for that reason we are still using also xlsx package.

@vasudevaraopaila
Copy link

vasudevaraopaila commented Sep 27, 2023

@e965 we are using mat table exporter which is internally using cdk table exporter and dependent on xlsx package, so I have created two dummy npm packages for mat table exporter and cdk table exporter and the installed @e965/xlsx as dependency which replacing xlsx. but I am getting below errors

/node_modules/config-table-exporter/fesm2020/cdk-table-exporter.mjs:130:21-54 - Error: Module not found: Error: Can't resolve 'xlsx/dist/xlsx.mini.min' in 'D:\Projects\Sample_project\Sample_project\node_modules\config-table-exporter\fesm2020'

./node_modules/config-table-exporter/fesm2020/cdk-table-exporter.mjs:132:21-35 - Error: Module not found: Error: Can't resolve 'xlsx' in 'D:\Projects\Sample_project\Sample_project\node_modules\config-table-exporter\fesm2020'

updated all the dependencies and imports from xlsx to @e965/xlsx, but still getting the same. Below are the dummy packages I published

https://www.npmjs.com/package/config-mat-table-exporter?activeTab=code
https://www.npmjs.com/package/config-table-exporter?activeTab=code

@mikeplacko
Copy link

All the info so far

(please let me know if anything's missing, so I can edit this comment)

Update to the new CDN

npm

npm i https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

pnpm

pnpm install https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

pnpm

yarn add https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

Why you need to update

The GitHub repo and npm packages are no longer maintained due to ongoing legal matters with npm (Owned by GitHub). More info here

I think it's worth mentioning that their CDN appears to only be using a self-signed certificate, which npm will not like without you jumping through a bunch of hoops. That's a deal breaker for me.

@Snailedlt
Copy link

@mikeplacko would this answer suit you better? #2822 (comment)

@mikeplacko
Copy link

@mikeplacko would this answer suit you better? #2822 (comment)

That did work. It did not throw an SSL warning and it seems as legitimate as any other NPM package security wise. Maybe I'm nit picking a bit with the self-signed certificate, but I feel like that's a really low bar to meet in 2023.

@basvandorst
Copy link

@SheetJSDev could you guys please mark the last package on NPM as deprecated?
https://docs.npmjs.com/deprecating-and-undeprecating-packages-or-package-versions

For you guys it's a minute fix but a timesaver for all (thousands of) people that are using your package. Cheers

@rap2hpoutre
Copy link

Some production networks allow only npmjs.org for repositories. Having an exception like sheetjs.com is not always possible.

@bingDBdu
Copy link

bingDBdu commented May 8, 2024

All the info so far

(please let me know if anything's missing, so I can edit this comment)

Update to the new CDN

npm

npm i https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

pnpm

pnpm install https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

pnpm

yarn add https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

Why you need to update

The GitHub repo and npm packages are no longer maintained due to ongoing legal matters with npm (Owned by GitHub). More info here

image

It looks ugly. I don't like it at all. Hope it's going to be published to NPM as soon as possible.

@NoNameProvided
Copy link

I have created a script that republishes the package automatically to NPM.

Since the CE edition is licensed under Apache which allows republishing it with proper attribution I have made a small automated script that periodically checks the CDN and republishes the latest version to NPM if needed.

The NPM package can be found here https://www.npmjs.com/package/xlsx-republish.

@e965
Copy link

e965 commented Sep 17, 2024

@NoNameProvided competition is wonderful 🙂
#2822 (comment)

@NoNameProvided
Copy link

NoNameProvided commented Sep 17, 2024

Oh, dang, I didn't see that! I came from the above-linked issue and only commented here after I had made my script.

It seems you build from source code which may result in different package content than the actually published artifacts. I have decided to republish the tarball they publish on their own CDN. It ensures you get the exact same content the developers intended. It's a subtle but important difference.

@e965
Copy link

e965 commented Sep 20, 2024

@NoNameProvided Yes and no - right now, given that the content of our packages is identical, both of our solutions are correct. But I agree that in the possible future your strategy is more correct.
I'll look into modifying the publish script soon, thanks for the ideas :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests