[CVE-2022-25758] Use dart-sass instead of node-sass #2054

Flyingliuhub · 2022-08-02T20:47:27Z

Signed-off-by: Tao liu liutaoaz@amazon.com

Description

This PR fixes the Regular expression denial of service in scss-tokenizer, use dart-sass instead of node-sass.

The node-sass are deprecated, the detail here.

The suggested solution (#535) is that use dart-sass instead of node-sass

The scan detail as following and link here

yarn why scss-tokenizer
yarn why v1.22.18
[1/4] Why do we have the module "scss-tokenizer"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "scss-tokenizer@0.2.3"
info Reasons this module exists
   - "_project_#@osd#ui-framework#node-sass#sass-graph" depends on it
   - Hoisted from "_project_#@osd#ui-framework#node-sass#sass-graph#scss-tokenizer"
info Disk size without dependencies: "268KB"
info Disk size with unique dependencies: "1.11MB"
info Disk size with transitive dependencies: "1.11MB"
info Number of shared dependencies: 2
Done in 1.01s.

Issues Resolved

#1842 , #535

Check List

Signed-off-by: Tao liu <liutaoaz@amazon.com>

codecov-commenter · 2022-08-02T21:33:02Z

Codecov Report

Merging #2054 (cfd6aa4) into main (76e0f20) will increase coverage by 0.00%.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #2054   +/-   ##
=======================================
  Coverage   67.50%   67.51%           
=======================================
  Files        3077     3077           
  Lines       59184    59188    +4     
  Branches     9003     9003           
=======================================
+ Hits        39955    39958    +3     
- Misses      17044    17045    +1     
  Partials     2185     2185

Impacted Files	Coverage Δ
...ic/application/models/sense_editor/sense_editor.ts	`64.00% <0.00%> (-0.89%)`	⬇️
...plugins/maps_legacy/public/map/service_settings.js	`1.60% <0.00%> (-0.03%)`	⬇️
.../maps_legacy/public/map/base_maps_visualization.js	`1.94% <0.00%> (-0.02%)`	⬇️
src/plugins/vis_type_vega/public/services.ts	`100.00% <0.00%> (ø)`
packages/osd-optimizer/src/node/cache.ts	`52.77% <0.00%> (+2.77%)`	⬆️
...s/osd-optimizer/src/node/node_auto_tranpilation.ts	`87.75% <0.00%> (+4.08%)`	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

kavilla · 2022-08-02T23:08:50Z

looks like a snapshot failure, could update them?

kavilla · 2022-08-02T23:10:44Z

Do we see the issue called out here: #535 with EUI complaining?

I know we bumped EUI so it might have unblocked #535.

Signed-off-by: Tao liu <liutaoaz@amazon.com>

Flyingliuhub · 2022-08-02T23:33:23Z

EUI complaining?

According the error in the #535, it sounds like that happened on during the build compile, I didn't see the build compile error and UI error.

Flyingliuhub · 2022-08-02T23:34:25Z

looks like a snapshot failure, could update them?

Thanks. I updated the test, it should fixes the tests.

packages/osd-optimizer/src/worker/webpack.config.ts

yarn.lock

kavilla · 2022-08-03T18:15:44Z

Awesome! Do you know if there is any performance updates with the rendering? Also, will OUI be impacted by this @AMoo-Miki ? Finally, I haven't checked by do we use the sass render or renderSync?

Signed-off-by: Tao liu <liutaoaz@amazon.com>

Flyingliuhub · 2022-08-03T21:16:04Z

@AMoo-Miki , Is this changes looking good from your side? if you have time, please take a look this changes, thanks

kavilla · 2022-08-04T16:12:38Z

Hello @Flyingliuhub, are we able to eyeball any performance impact?

Flyingliuhub · 2022-08-04T17:33:42Z

Hello @Flyingliuhub, are we able to eyeball any performance impact?

I didn't see the page load (dashboard/discover/Visualizations) different in my local.

It take about 12 minutes for build locally with following command

yarn build-platform linux --skip-os-packages --skip-archives --release

kavilla · 2022-08-05T05:48:51Z

What are possible risk and impact to get this merged? Could we list and discuss here.

Is it a check list we could follow to self check besides automation test

Biggest worry was OUI, but Miki is good with that. Downstream might be impacted so it will be a breaking change for 3.0. The only other thing is if there is any performance degradation. But we don't have any client side perf tests so looks good to me. However, will hold off from merging until at least tomorrow just in case in becomes a blocker for OUI.

seraphjiang · 2022-08-06T03:57:55Z

Any update team ~
@Flyingliuhub @kavilla @AMoo-Miki

Flyingliuhub · 2022-08-08T15:18:18Z

Any update team ~ @Flyingliuhub @kavilla @AMoo-Miki

@kavilla , Is there any update from retro? if everything looks good from retro meeting, could you please click "Merge"? Thanks

Revert "add node fiber to improve performance (opensearch-project#2319)" Revert "[CVE-2022-25758] Use dart-sass instead of node-sass (opensearch-project#2054)" Revert back to use node-sass and bump to 8.0.0 Bump node.js to 18 and fix errors Signed-off-by: Anan Zhuang <ananzh@amazon.com>

Revert "add node fiber to improve performance (opensearch-project#2319)" Revert "[CVE-2022-25758] Use dart-sass instead of node-sass (opensearch-project#2054)" Revert back to use node-sass and bump to 8.0.0 Change lmdb-store to lmdb Bump node.js to 18 and fix errors Issue Resolved: opensearch-project#3601 Signed-off-by: Anan Zhuang <ananzh@amazon.com>

Revert "add node fiber to improve performance (opensearch-project#2319)" Revert "[CVE-2022-25758] Use dart-sass instead of node-sass (opensearch-project#2054)" Revert back to use node-sass and bump to 8.0.0 Change lmdb-store to lmdb Bump node.js to 18 and fix errors Issue Resolved: opensearch-project#3601 Signed-off-by: Anan Zhuang <ananzh@amazon.com> Fix async unit test timeout issue Signed-off-by: Anan Zhuang <ananzh@amazon.com> [Nodejs 18] fix lmdb and plugins discovery unit tests Signed-off-by: Anan Zhuang <ananzh@amazon.com> Fix windows path Signed-off-by: Anan Zhuang <ananzh@amazon.com> Increase memory limit for unit test and fix memory leak Signed-off-by: Anan Zhuang <ananzh@amazon.com>

Revert "add node fiber to improve performance (opensearch-project#2319)" Revert "[CVE-2022-25758] Use dart-sass instead of node-sass (opensearch-project#2054)" Revert back to use node-sass and bump to 8.0.0 Change lmdb-store to lmdb Bump node.js to 18 and fix errors Issue Resolved: opensearch-project#3601 Signed-off-by: Anan Zhuang <ananzh@amazon.com>

Revert "add node fiber to improve performance (opensearch-project#2319)" Revert "[CVE-2022-25758] Use dart-sass instead of node-sass (opensearch-project#2054)" Revert back to use node-sass and bump to 8.0.0 Change lmdb-store to lmdb Bump node.js to 18 and fix errors Issue Resolved: opensearch-project#3601 Signed-off-by: Anan Zhuang <ananzh@amazon.com> add unhandle-rejections Signed-off-by: Anan Zhuang <ananzh@amazon.com> add worker add mock lmdb to integration test Signed-off-by: Anan Zhuang <ananzh@amazon.com> modify test start opensearch Signed-off-by: Anan Zhuang <ananzh@amazon.com> only one integration test Signed-off-by: Anan Zhuang <ananzh@amazon.com> update test Signed-off-by: Anan Zhuang <ananzh@amazon.com> increase time Signed-off-by: Anan Zhuang <ananzh@amazon.com>

Revert "add node fiber to improve performance (opensearch-project#2319)" Revert "[CVE-2022-25758] Use dart-sass instead of node-sass (opensearch-project#2054)" Revert back to use node-sass and bump to 8.0.0 Change lmdb-store to lmdb Bump node.js to 18 and fix errors Issue Resolved: opensearch-project#3601 Signed-off-by: Anan Zhuang <ananzh@amazon.com>

use dart-sass instead of node-sass

c480e0a

Signed-off-by: Tao liu <liutaoaz@amazon.com>

Flyingliuhub requested a review from a team as a code owner August 2, 2022 20:47

Flyingliuhub added the v3.0.0 label Aug 2, 2022

Flyingliuhub changed the title ~~[Security] Use dart-sass instead of node-sass~~ [CVE] Use dart-sass instead of node-sass Aug 2, 2022

kavilla added the cve Security vulnerabilities detected by Dependabot or Mend label Aug 2, 2022

This was linked to issues Aug 2, 2022

CVE-2022-25758 (High) detected in scss-tokenizer-0.2.3.tgz - autoclosed #1842

Closed

Migrate from Node Sass to Dart Sass #535

Closed

Update basic_optimization.test snapshot

e72198b

Signed-off-by: Tao liu <liutaoaz@amazon.com>

seraphjiang previously approved these changes Aug 3, 2022

View reviewed changes

seraphjiang assigned Flyingliuhub Aug 3, 2022

seraphjiang requested a review from a team August 3, 2022 02:26