Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Fractal shellJS vulnerability
See original GitHub issueBackground:
-
FEC pattern library (https://fec-pattern-library.app.cloud.gov/) is a public site used by the FEC to catalog our style components which is built with Fractal
-
Our vulnerability tracker, Snyk, flagged a high severity command injection vulnerability with Fractal that we can’t patch ourselves. Here is also a link to our fec-pattern-library issue for more context: https://github.com/fecgov/fec-pattern-library/issues/113
- Issue is with shelljs - looks like there’s no fix version. We’d have to find an alternative
-
Our ATO (Authority to Operate) mandates that we remediate high-severity vulnerabilities within 30 days
-
Fractal is also used by US Web Design Standards - https://github.com/uswds/uswds#fractal
Hi there! Thanks for providing such an awesome tool. Our agency (U.S. Federal Election Commission) uses Fractal to build our pattern library (https://fec-pattern-library.app.cloud.gov/), which is a public site used to catalog our style components.
Our vulnerability tracker, Snyk, flagged Fractal’s shelljs dependency as a high-severity command injection risk. In order to maintain our Authority to Operate (ATO), our agency is required to mitigate high-risk vulnerabilities within 30 days.
We’ve forked the repo to see if we can help explore a possible workaround https://github.com/fecgov/fractal, but it appears there is no remediation for the shelljs package dependency used in fractal, even after attempting to upgrade to the latest version.
We’d like to know if you have any plans to address this issue with shelljs and if so, whether or not that would fall within our 30 day window. If you could let us know (even if it’s just to say “we do not”), we would greatly appreciate it.
If we can help in any way with this, please let us know. Thank you for your time!
cc: @dkhuntrods and @allmarkedup
Issue Analytics
- State:
- Created 5 years ago
- Reactions:2
- Comments:5 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi @patphongs. The shelljs command is only ever used during installation to help create a new fractal project. It’s not used by the development server, and any built code is static, further reducing the risk of any possible injection. I understand if this isn’t enough for your ATO, though, and since it’s used in such a small area I can investigate an alternative package.
@dkhuntrods Thank you for your response, we greatly appreciate it! We have documented this within our repository and have concluded that it is not much of a risk given the current nature of how the command is used. This issue is now closed for us. https://github.com/fecgov/fec-pattern-library/issues/113#issuecomment-387508142