Update Discord Link + Fix 6 Security Vulnerabilities.

[0xE69]

Upgrade Vulnerable Dependencies for Security Enhancements

This commit updates our project dependencies to address several critical and medium-severity security vulnerabilities:

[Removed for security] Please reach out to me on telegram @nexusnode

Adjustments:

• Modified package.json and yarn.lock files to upgrade vulnerable dependencies to secure versions.
• Changed discord links to reflect new official vanity links following subsequent attack.

Note for Yarn zero-installs Users:

This update does not directly modify the .yarn/cache/ directory. Users leveraging Yarn's zero-installs feature are advised to run yarn to refresh the cache and ensure compatibility with these security updates. For those not using zero-installs, project workflows remain unaffected.

By proactively addressing these vulnerabilities, we enhance our application's security and resilience against potential threats.

Further reviews to follow tomorrow.

[ipopescu]

@0xE69 @ACStoneCL, I will update the Discord links. I was waiting on confirmation from the Association. Please pull my updates once I merge the PR.

[ipopescu]

Since this is a major version update for Docusaurus, it seems to require node and npm updates to run the site locally. In this case, some thorough testing needs to happen locally. Has this been completed? I tried making the proposed changes locally to test the site, and I am unable to bring it up.

All docusaurus/* versions should be updated to the 3.0 version.
The README should be updated as well.
The node version in package.json should probably be updated.

I am still working through the changes locally, but I wanted to share that this PR may need additional work.

[ipopescu]

@0xE69, I'm stuck, so I'm going to stop troubleshooting ATM. Here is what I have tried: dev...ipopescu:docs:1367_update_links.
Please take this forward and propose changes that I can run locally.

[0xE69]

I will test locally and update you.

[0xE69]

One example of the error you're encountering is due to the use of https://cspr.live/ in the MDX file, which MDX is trying to parse as a JSX component or an HTML tag because it's enclosed in angle brackets (< and >). URLs don't conform to the naming conventions of JSX components or HTML tags, this causes a parsing error.

To fix this error, you should format URLs as Markdown links rather than plain text enclosed in angle brackets.

I have updated all pages and project builds with no errors.

[0xE69]

Further update and report to follow.

[0xE69]

Security Update - Addressing Critical and High Vulnerability Issues

Summary

This Pull Request addresses multiple security vulnerabilities ranging from critical to medium severity within the project's dependencies.

The updates mitigate risks associated with incomplete input validation, denial of service, cross-site request forgery, prototype pollution, open redirects, and cross-site scripting vulnerabilities.

Fixes

The following vulnerabilities have been fixed:

• CRITICAL: @babel/traverse Incomplete List of Disallowed Inputs, identified by CWE-184, CVE-2023-45133 with a CVSS score of 9.3. This update patches a critical vulnerability that could potentially allow attackers to manipulate the application in unintended ways due to incomplete input validation.

• HIGH:

  • trim Regular Expression Denial of Service (ReDoS), defined by CWE-400, CVE-2020-7753 with a CVSS score of 7.5. The vulnerability could lead to denial of service attacks through specially crafted input.
  • axios Cross-site Request Forgery (CSRF) and Prototype Pollution, referenced by CWE-352, CVE-2023-45857, and CWE-1321 respectively, both with significant CVSS scores of 7.1 and 7.5. These vulnerabilities expose the application to unauthorized actions by an attacker and modification of object prototype properties.
  • follow-redirects Improper Input Validation, characterized by CWE-20, CVE-2023-26159 with a CVSS score of 7.3, leading to potential misuse of the application.

• MEDIUM:

  • axios Regular Expression Denial of Service (ReDoS), marked by CWE-1333 with a CVSS score of 5.3.
  • got Open Redirect vulnerability, identified by CWE-601, CVE-2022-33987 with a CVSS score of 5.4, allowing attackers to redirect users to untrusted sites.
  • serialize-javascript Cross-site Scripting (XSS), as per CWE-79 with a CVSS score of 6.1, and postcss Improper Input Validation, identified by CWE-20, CVE-2023-44270 with a CVSS score of 5.3.

Impact

Failure to apply these updates leaves the application vulnerable to a range of attacks, including but not limited to, denial of service, unauthorized actions under the guise of legitimate users, and the execution of malicious scripts in the context of the user's browser session.

Action

It is strongly recommended to merge this PR at the earliest convenience to mitigate the identified security vulnerabilities. Following the merge, a thorough testing cycle is advised to ensure that the application maintains its functionality and integrity in light of the updates.

[ipopescu]

I can run the site locally with the latest updates. However, I am seeing several wonky navigation issues (screenshots below). This change requires some additional dev support and testing time.
Also, the build is failing, perhaps due to the node version on the server.

[0xE69]

@ipopescu Working on design bugs now.

[bradjohnl]

I've enabled Dependabot and it has created some PRs to address the @babel/traverse:

• Bump @babel/traverse from 7.22.8 to 7.23.9 in /src/plugins/docusaurus-plugin-navdata #1385
• Bump @babel/traverse from 7.22.8 to 7.23.9 #1384
• Bump @babel/traverse from 7.22.8 to 7.23.9 in /src/plugins/docusaurus-plugin-cookiesbanner #1382

This PR to enable automated updates will create more, that should cover other mentioned issues:
#1387

I will investigate on the remainder of them once the #1387 is merged

[bradjohnl]

The @babel/traverse library, identified in our yarn.lock file but not directly in package.json, is a transitive dependency. This means it's required by another dependency we use but not directly used in our code.

Typically, @babel/traverse is part of the build process, aiding in code compilation and transformation. Therefore, it's unlikely to be present in our production code, especially for a static site like ours.

The vulnerability (CVE-2023-45133) allows for arbitrary code execution during the compilation process with specially crafted malicious code.

The risk mainly applies to scenarios where untrusted code is compiled. While this vulnerability is critical, its direct impact on a statically built and deployed site like yours on GitHub Pages may be limited, as the risk is more relevant during the build process rather than in the served static content. However, ensuring your build process is secure remains important.

[bradjohnl]

I've verified that all the other vulnerabilities are all transitive dependencies.

By linking most of of yarn.lock file transitive dependencies with the package.json direct dependencies and going up the ladder, I could always end up in docusaurus main package.

This potentially means that the mentioned vulnerabilities (where applicable) could end up leaking into the statically generated Javascript code part of the production build:

• CVE-2023-45133 (Critical):
  This vulnerability affects @babel/traverse, which is typically used by Babel for code transformation during the build process. If the vulnerability in @babel/traverse allows attackers to manipulate the application code during transformation, it could potentially affect the static code generated by Babel.

This is less likely to happen as it would require the attacker to build some code and somehow get it to our production site. In theory an external developer could send a PR with the supposedly specially crafted malicious code and get it past our review process.

• CVE-2020-7753:
  This vulnerability affects the trim package, which could lead to denial-of-service attacks although the impact on static code generation might be minimal. If the trim package is used in a context where it handles untrusted or user-generated data during the build process, the risk of exploitation might be higher, and the impact on static code generation could be more significant.

• CVE-2023-45857:
  This vulnerability affects axios, a widely used HTTP client library. If axios is used in the build process to fetch data or resources during build time, the vulnerability could potentially affect the build output and make the XSRF-TOKEN vulnerable to being leaked, but from a first check, we are not using it unless it's implicitly implemented automatically by one of the many dependencies.

• CVE-2023-26159:
  This vulnerability affects follow-redirects, which could lead to improper input validation. Depending on how follow-redirects is used in the build process, it might affect the build output, although the impact on static code generation might be minimal.

From: GHSA-jchw-25xp-jwwc: Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

• CVE-1333:
  This vulnerability affects axios, leading to regular expression denial-of-service attacks. Similar to CVE-2023-45857, if axios is used during the build process, the vulnerability might affect the build output.

• CVE-2022-33987:
  This vulnerability affects got, which could lead to open redirect vulnerabilities. If got is used during the build process for any purpose, the vulnerability could potentially affect the build output.

• CVE-2023-44270:
  This vulnerability affects serialize-javascript, which could lead to cross-site scripting vulnerabilities. If serialize-javascript is used in the build process to serialize JavaScript objects, the vulnerability might affect the generated static JavaScript files.

[bradjohnl]

I've enabled Dependabot and it has created some PRs to address the @babel/traverse:

* [Bump @babel/traverse from 7.22.8 to 7.23.9 in /src/plugins/docusaurus-plugin-navdata #1385](https://github.com/casper-network/docs/pull/1385)

* [Bump @babel/traverse from 7.22.8 to 7.23.9 #1384](https://github.com/casper-network/docs/pull/1384)

* [Bump @babel/traverse from 7.22.8 to 7.23.9 in /src/plugins/docusaurus-plugin-cookiesbanner #1382](https://github.com/casper-network/docs/pull/1382)

This PR to enable automated updates will create more, that should cover other mentioned issues: #1387

I will investigate on the remainder of them once the #1387 is merged

• PR Bump follow-redirects from 1.15.2 to 1.15.5 #1386 fixes the GHSA-jchw-25xp-jwwc vulnerability of the follow-redirects package

For all the other vulnerabilities, I suppose we would have to upgrade docusaurus. Next thing I will do, is that I will find the next version that can be upgraded that covers everything without too much of a jump, so that we do not risk distrupting other things too much

[ipopescu]

Thanks for your investigation and updates, @bradjohnl.

[bradjohnl]

I could verify that the Discord link has already been changed, so this PR would need to be rebased to reflect the actual content from the dev branch.

[ipopescu]

@0xE69, any updates on this PR? It is getting old.

[ipopescu]

Closing this PR due to inactivity. If the work still needs to be done, please open a new PR referencing this one.
There are open PRs already for updating some of the dependencies. Also, upgrading to the next version of Docusaurus must be prioritized and addressed as a separate task.