Authz: node18 re-write

[sauntimo]

Caution

Do not merge until the correct point in the Deployment Plan

Warning

remove /develop from assets paths before merging!

✏️ Changes

• Update the extension to run on node 18.16.0
• Bump underlying hapi.js framework to 21.3.3 which involved a huge number of changes because the whole framework has been re-written from using callbacks to using async/await.
• Many other related dependency version bumps, to get compatibility between peer dependencies. There are some limitations based on which versions of what packages can be included from https://auth0-extensions.github.io/canirequire/ - some specific package versions are not available and so are included in the bundle instead.
• fix functionality broken by package updates, which, essentially, was all of it
• fix all unit (144) and integration (34) tests. NB, integration tests are run pointing at a layer0 dev space.

NOTES

• will only build with this UNMERGED branch of the auth0-extensions-cli: [Do not merge] Hacky fix to build authorization extension in node18 auth0-extensions/auth0-extensions-cli#64
• check this branch out locally, then in the repo run npm link. Then navigate back to the authorization extension repo and run npm link auth0-extensions-cli. This will then use the local version of the extensions cli, not the master version.

📷 Screenshots

If there were visual changes to the application with this change, please include before and after screenshots here. If it has animation, please use screen capture software like to make a gif.

🔗 References

• Jira Epic: https://auth0team.atlassian.net/browse/IDS-4386

🎯 Testing

• The plan to test installing and updating the extension is here

✅ This change has been tested in a Webtask

✅ This change has unit test coverage

✅ This change has integration test coverage

✅ This change has been tested for performance

🚀 Deployment

Can this change be merged at any time? What will the deployment of the change look like? Does this need to be released in lockstep with something else?

🚫 This should only be merged and deployed using the extensions deployment tool at the correct point in the Deployment Plan

🎡 Rollout

In order to verify that the deployment was successful we will install and update the extension in a prod env and check functionality.

🔥 Rollback

If there are issues with the extension, then will will update the extensions.json to the previous node12 version 2.11.0 of the authz extension and advise customers who have updated, to "update" again to the previous version.

[semgrep-app]

Cannot determine what 'encodedBaseUrl' is and it is used with a '<script>' tag. This could be susceptible to cross-site scripting (XSS). Ensure 'encodedBaseUrl' is not externally controlled, or sanitize this data.

_{Ignore this finding from unknown-value-with-script-tag.}

[semgrep-app]

Risk: Affected versions of @cypress/request and request are vulnerable to Server-Side Request Forgery (Ssrf). The vulnerability arises when SSRF filters implemented in request and cypress/request library, inadvertently delete all configured agents upon redirects involving protocol switches, thus nullifying established event listeners and anti-SSRF mechanisms, thereby enabling attackers to circumvent SSRF protections and potentially acquire unauthorized access to internal or restricted resources.

Fix: Upgrade this library to at least version 3.0.0 at auth0-authorization-extension/package-lock.json:32115.

Reference(s): GHSA-p8p7-x288-28g6, CVE-2023-28155

_{Ignore this finding from ssc-9bb58177-527a-4665-8cfc-e343dc367d9b.}

[semgrep-app]

Semgrep found 1 ssc-45c7ee79-f517-41e2-b61a-45743d9df9c6 finding:

• package-lock.json
  • L24340 - Triage

Risk: Affected version of handlebars is vulnerable to Improper Neutralization Of Special Elements In Output Used By A Downstream Component ('Injection') / Improperly Controlled Modification Of Object Prototype Attributes ('Prototype Pollution'). The vulnerability allows for Prototype Pollution, potentially leading to Remote Code Execution, as templates can modify an object's __proto__ and __defineGetter__ properties, enabling attackers to execute arbitrary code using specially crafted payloads.

Fix: Upgrade this library to at least version 4.3.0 at auth0-authorization-extension/package-lock.json:24340.

Reference(s): GHSA-w457-6q6x-cgp9, CVE-2019-19919

_{Ignore this finding from ssc-45c7ee79-f517-41e2-b61a-45743d9df9c6.}

Semgrep found 7 ssc-30d12dd5-94ad-46fa-9d32-3d5477d86f3e findings:

• package-lock.json
  • L4879 - Triage
  • L4998 - Triage
  • L5217 - Triage
  • L5279 - Triage
  • L5429 - Triage
  • L5670 - Triage
  • L34340 - Triage

Risk: Affected versions of jsonwebtoken are vulnerable to Use Of A Broken Or Risky Cryptographic Algorithm. The library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using a legacy, insecure key type with a supported algorithm; for example, DSA keys could be used with the RS256 algorithm

Fix: Upgrade this library to at least version 9.0.0 at auth0-authorization-extension/package-lock.json:34340.

Reference(s): GHSA-8cf7-32gw-wr33, CVE-2022-23539

_{Ignore this finding from ssc-30d12dd5-94ad-46fa-9d32-3d5477d86f3e.}

Semgrep found 7 ssc-1676dcdc-09e4-4f68-8fa8-5ff232a5b53f findings:

• package-lock.json
  • L4879 - Triage
  • L4998 - Triage
  • L5217 - Triage
  • L5279 - Triage
  • L5429 - Triage
  • L5670 - Triage
  • L34340 - Triage

Risk: Affected versions of jsonwebtoken are vulnerable to Improper Authentication. Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using a poorly implemented key retrieval function and your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function.

Fix: Upgrade this library to at least version 9.0.0 at auth0-authorization-extension/package-lock.json:34340.

Reference(s): GHSA-hjrf-2m68-5959, CVE-2022-23541

_{Ignore this finding from ssc-1676dcdc-09e4-4f68-8fa8-5ff232a5b53f.}

Semgrep found 2 ssc-aff5e8de-c638-4356-8a93-120597e35ce9 findings:

• package-lock.json
  • L9696 - Triage
  • L23879 - Triage

Risk: Affected versions of @babel/traverse are vulnerable to Incomplete List Of Disallowed Inputs. An attacker can exploit a vulnerability in the internal Babel methods path.evaluate() or path.evaluateTruthy() by compiling specially crafted code, potentially resulting in arbitrary code execution during compilation.

Manual Review Advice: A vulnerability from this advisory is reachable if you use a 3rd party plugin that relies on the path.evaluate()or path.evaluateTruthy() internal Babel methods, or one of the known affected plugins (@babel/plugin-transform-runtime, Any 'polyfill provider' plugin that depends on @babel/helper-define-polyfill-provider, or @babel/preset-env when using its useBuiltIns option)

Fix: There are no safe versions of this library available for upgrade. Library included at auth0-authorization-extension/package-lock.json:23879.

Reference(s): GHSA-67hx-6x53-jw92, CVE-2023-45133

_{Ignore this finding from ssc-aff5e8de-c638-4356-8a93-120597e35ce9.}

[fbgoode]

Unnecessary try/catch, maybe leftover from debugging