LoginSignup
1
1

More than 3 years have passed since last update.

@sakakidai(榊 大)

Rails lodash.templateの脆弱性

Posted at

はじめに

githubから脆弱性があるよってメールが来て、lodash.template?そんなの入れたっけ?ってなった。
調べたらwebpackerをインストールした時にyarn.lockに追加されたみたいです。

参考リンク↓(ここの手順通り進めています)
yarn upgrade で更新できない間接的な依存パッケージだけをアップグレードするには-Qiita

upgradeをやってみる

$ yarn upgrade lodash.template
yarn upgrade v1.16.0
[1/4] 🔍  Resolving packages...
[2/4] 🚚  Fetching packages...
[3/4] 🔗  Linking dependencies...
warning " > @babel/preset-react@7.0.0" has unmet peer dependency "@babel/core@^7.0.0-0".
warning "@babel/preset-react > @babel/plugin-transform-react-display-name@7.2.0" has unmet peer dependency "@babel/core@^7.0.0-0".
warning "@babel/preset-react > @babel/plugin-transform-react-jsx@7.3.0" has unmet peer dependency "@babel/core@^7.0.0-0".
warning "@babel/preset-react > @babel/plugin-transform-react-jsx-self@7.2.0" has unmet peer dependency "@babel/core@^7.0.0-0".
warning "@babel/preset-react > @babel/plugin-transform-react-jsx-source@7.2.0" has unmet peer dependency "@babel/core@^7.0.0-0".
warning "@babel/preset-react > @babel/plugin-transform-react-jsx > @babel/plugin-syntax-jsx@7.2.0" has unmet peer dependency "@babel/core@^7.0.0-0".
warning " > webpack-dev-server@3.7.1" has unmet peer dependency "webpack@^4.0.0".
warning "webpack-dev-server > webpack-dev-middleware@3.7.0" has unmet peer dependency "webpack@^4.0.0".
[4/4] 🔨  Rebuilding all packages...
success Saved lockfile.
success Saved 0 new dependencies.
✨  Done in 6.31s.

$ git diff
(出力なし)

upgrade出来ませんでした。

余談です
warningがいっぱい出てるのですが、これの解決の仕方がわかる方いらしゃいましたら、教えてください。

どのパッケージに依存しているか調べる

どのパッケージが lodash.template に依存しているかは yarn why lodash.template で確認出来ます。

$ yarn why lodash.template
yarn why v1.16.0
[1/4] 🤔  Why do we have the module "lodash.template"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "lodash.template@4.4.0"
info Reasons this module exists
   - "@rails#webpacker#postcss-preset-env#postcss-initial" depends on it
   - Hoisted from "@rails#webpacker#postcss-preset-env#postcss-initial#lodash.template"
info Disk size without dependencies: "44KB"
info Disk size with unique dependencies: "80KB"
info Disk size with transitive dependencies: "80KB"
info Number of shared dependencies: 2
✨  Done in 0.70s.

最初に話した通り、webpackerでした。

解決策

webpackerをし直せば、治りそうなのですが、インストールをやり直すと他にもいろいろ不具合が出るかもしれないみたいなので、lodash.templateだけをインストールし直したいです。

yarn.lock から lodash.template を消して yarn installすれば出来るみたいです。

yarn.lock
# ---------------------------------この分を全て削除-------------------------------
@^4.2.lodash.template4:
  version "4.4.0"
  resolved "https://registry.yarnpkg.com/lodash.template/-/lodash.template-4.4.0.tgz#e73a0385c8355591746e020b99679c690e68fba0"
  integrity sha1-5zoDhcg1VZF0bgILmWecaQ5o+6A=
  dependencies:
    lodash._reinterpolate "~3.0.0"
    lodash.templatesettings "^4.0.0"
# ---------------------------------この分を全て削除-------------------------------




$ yarn install
yarn install v1.16.0
[1/4] 🔍  Resolving packages...
[2/4] 🚚  Fetching packages...
[3/4] 🔗  Linking dependencies...
warning " > @babel/preset-react@7.0.0" has unmet peer dependency "@babel/core@^7.0.0-0".
warning "@babel/preset-react > @babel/plugin-transform-react-display-name@7.2.0" has unmet peer dependency "@babel/core@^7.0.0-0".
warning "@babel/preset-react > @babel/plugin-transform-react-jsx@7.3.0" has unmet peer dependency "@babel/core@^7.0.0-0".
warning "@babel/preset-react > @babel/plugin-transform-react-jsx-self@7.2.0" has unmet peer dependency "@babel/core@^7.0.0-0".
warning "@babel/preset-react > @babel/plugin-transform-react-jsx-source@7.2.0" has unmet peer dependency "@babel/core@^7.0.0-0".
warning "@babel/preset-react > @babel/plugin-transform-react-jsx > @babel/plugin-syntax-jsx@7.2.0" has unmet peer dependency "@babel/core@^7.0.0-0".
warning " > webpack-dev-server@3.7.2" has unmet peer dependency "webpack@^4.0.0".
warning "webpack-dev-server > webpack-dev-middleware@3.7.0" has unmet peer dependency "webpack@^4.0.0".
[4/4] 🔨  Building fresh packages...
success Saved lockfile.
  Done in 4.52s.

$ git diff
diff --git a/yarn.lock b/yarn.lock
index 37c2ec0..4d3fdc4 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -3815,7 +3815,7 @@ locate-path@^3.0.0:
     p-locate "^3.0.0"
     path-exists "^3.0.0"

-lodash._reinterpolate@~3.0.0:
+lodash._reinterpolate@^3.0.0, lodash._reinterpolate@~3.0.0:
   version "3.0.0"
   resolved "https://registry.yarnpkg.com/lodash._reinterpolate/-/lodash._reinterpolate-3.0.0.tgz#0ccf2d89166af03b3663c796538b75ac6e114d9d"
   integrity sha1-DM8tiRZq8Ds2Y8eWU4t1rG4RTZ0=
@@ -3841,11 +3841,11 @@ lodash.tail@^4.1.1:
   integrity sha1-0jM6NtnncXyK0vfKyv7HwytERmQ=

 lodash.template@^4.2.4:
-  version "4.4.0"
-  resolved "https://registry.yarnpkg.com/lodash.template/-/lodash.template-4.4.0.tgz#e73a0385c8355591746e020b99679c690e68fba0"
-  integrity sha1-5zoDhcg1VZF0bgILmWecaQ5o+6A=
+  version "4.5.0"
+  resolved "https://registry.yarnpkg.com/lodash.template/-/lodash.template-4.5.0.tgz#f976195cf3f347d0d5f52483569fe8031ccce8ab"
+  integrity sha512-84vYFxIkmidUiFxidA/KjjH9pAycqW+h980j7Fuz5qxRtO9pgB7MDFTdys1N7A5mcucRiDyEq4fusljItR1T/A==
   dependencies:
-    lodash._reinterpolate "~3.0.0"
+    lodash._reinterpolate "^3.0.0"
     lodash.templatesettings "^4.0.0"

 lodash.templatesettings@^4.0.0:

これでgithubにpushしてみる。
するとlodashの脆弱性が見つかり、versionを 4.17.13以上にしてくれというメッセージが届きました。
上と同じ手順で解決すると脆弱性がなくなります。

1
1
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
1
1