PQGrid jszip 2.5.0 vulnerabilities

[ferpagano]

Hello Support!.

We are currently using PQGrid v8.6.0 and have been using Veracode to track vulnerabilities and improvements. Recently, Veracode detected a high severity vulnerability related to the jszip v2.5.0 dependency used in PQGrid. The vulnerability details have been provided below:

CVE-2022-48285| CWE-22
Directory Traversal: jszip is vulnerable to Directory Traversal. The vulnerability exists as untrusted user input is not properly validated and/or sanitized, allowing an attacker to exploit the vulnerability via a crafted ZIP archive.

Could it be possible to you to update PQGrid to use the latest version of jszip (or v3.8.0 or later) to address this issue?.
This vulnerability also applies to PQGrid v8.7.0.

Please refer to the following links for further details on this vulnerability:
https://nvd.nist.gov/vuln/detail/CVE-2022-48285
https://cwe.mitre.org/data/definitions/22.html


Hope you can help.
Thanks in advance.

Best regards,
Fernando.

[paramvir]

Thanks for reporting issue, however please take note of the following points:

1) The reported jszip vulnerability applies to its usage in server environment and not in browser. Browser doesn't give access to user filesystem through js.

2) pqgrid uses jszip as internal dependency, and doesn't pass any user supplied parameter related to filesystem paths to jszip.

3) Link shared by you reports vulnerability in loadAsync method which is applicable to version 3.x and not to version 2.x

Hope it helps.

[ferpagano]

Thanks Paramvir for the detailed answer. It helps us to know that the issue should not apply.

Also, I would like to mention that the 'npm audit' command shows vulnerabilities. The second finding in the npm output is the same as one of the first post, but I'm not sure about the "Prototype" issue. Please, I would appreciate your comments on this matter.

# npm audit report

jszip  <=3.7.1
Severity: high
Prototype Pollution - https://github.com/advisories/GHSA-jg8v-48h5-wgxg
JSZip contains Path Traversal via loadAsync - https://github.com/advisories/GHSA-36fh-84j7-cv5h
No fix available
node_modules/jszip
  pqgrid  *
  Depends on vulnerable versions of jszip
  node_modules/pqgrid

Thanks!.

[paramvir]

Thanks for reporting Prototype issue, it looks more like a bug than security vulnerability.

As per the description and my understanding, if proto, __proto__, toString, etc strings are used as filenames, then it has the potential to corrupt the zip file.

As per the preliminary testing done with this example: https://paramquery.com/pro/demos/export_group_columns, passing the supposedly problematic filenames results in no problem or error whatsoever and the downloaded zip / xlsx files open without issues.

So apparently it doesn't have any impact on pqgrid use of jszip 2.5.0, unless you find or come across some issue with reproducible steps.

[ferpagano]

Thanks again Paramvir.