[$250] Fix security vulnerabilities in Expensify App #48327
Description
Problem
Currently in Expensify App we have around 34 vulnerabilities in our dependencies of Critical, High and Moderate priorities. Even though, our App works fine but there's always a chance of some exploit in the future. Since Expensify is a FinTech App, the security vulnerabilities should be avoided and mitigated as much as possible.
Some examples of the vulnerabilities found via npm audit are:
- Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - CRITICAL
- Uncontrolled resource consumption in braces - HIGH
- fast-xml-parser vulnerable to ReDOS at currency parsing - HIGH
- follow-redirects' Proxy-Authorization header kept across hosts - MODERATE
- PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF - HIGH
- ws affected by a DoS when handling a request with many HTTP headers - HIGH
- Prototype Pollution in JSON5 via Parse Method - HIGH
- JSON-Patch Prototype Pollution vulnerability - HIGH
Solution
The links for the vulnerabilities also suggests the version that we can bump for that dependency in order to fix the vulnerability. Since most of the vulnerabilities are originating from transitive dependencies, we can use overrides property in package.json to use that pinned version for the specific dependency. For example, consider ws transitive dependency which can be bumped to 8.17.1 in order to fix the vulnerability. Below is how we can achieve this:
"devDependencies": {
....
},
"overrides": {
"ws": "8.17.1"
}Once we add the patched versions of the security vulnerabilities in overrides property, we need to do a QA to make sure there are no regressions introduced by the patched versions.
Apart from this, upgrading to newer versions can sometimes be useful as they come with bug fixes and performance improvements. For example, react-pdf comes with lots of improvements like optimized CPU and memory usage, see here. There's one edge case that I am not aware of and would like to discuss:
- We now don't have
pdfjs-dist/legacy/buildinstead we havepdfjs-dist/buildasreact-pdfhas dropped support for older browsers. Inreact-fast-pdf, which is maintained byExpensifyhere and in Expensfiy App, we have references topdfjs-dist/legacy/build, which we can just change topdfjs-dist/build. After this change, on my testing, I was able to send and view the PDF correctly, so everything looks correct but a QA in this area might come handy.
Edit: react-pdf update is already being tracked here. We have to make sure to verify updates to react-fast-pdf
Edit: I missed it the first time but we do have pdfjs-dist/legacy/build but we have .mjs instead of .js, so we still have to update react-fast-pdf to include the .mjs extension.
Upwork Automation - Do Not Edit
- Upwork Job URL: https://www.upwork.com/jobs/~021843732810666984794
- Upwork Job ID: 1843732810666984794
- Last Price Increase: 2024-10-08