Vulnerabilities in `tests` and `staging` directory in JupyterLab Python package

JupyterLab
1

Our CVE scanner reports several vulnerabilities in the jupyterlab package. The findings are all contained in the tests or staging directory inside the package.

Here is the relevant extract from our CVE report:

Vulnerabilities

severity vulnerability_name name version path fixed_version
2 HIGH GHSA-m4gq-x24j-jpmf mermaid 10.7.0 /opt/conda/envs/jupyter/lib/python3.11/site-packages/jupyterlab/staging/yarn.lock 10.9.3
4 HIGH CVE-2024-45590 body-parser 1.20.2 /opt/conda/envs/jupyter/lib/python3.11/site-packages/jupyterlab/staging/yarn.lock 1.20.3
5 HIGH CVE-2024-45590 body-parser 1.20.1 /opt/conda/envs/jupyter/lib/python3.11/site-packages/jupyterlab/staging/yarn.lock 1.20.3
6 HIGH CVE-2024-45296 path-to-regexp 0.1.7 /opt/conda/envs/jupyter/lib/python3.11/site-packages/jupyterlab/staging/yarn.lock 0.1.10
7 HIGH CVE-2024-37890 ws 8.16.0 /opt/conda/envs/jupyter/lib/python3.11/site-packages/jupyterlab/tests/mock_packages/test-hyphens-underscore/yarn.lock 8.17.1
8 HIGH CVE-2024-37890 ws 8.16.0 /opt/conda/envs/jupyter/lib/python3.11/site-packages/jupyterlab/tests/mock_packages/test_no_hyphens/yarn.lock 8.17.1
16 HIGH CVE-2024-29415 ip 2.0.1 /opt/conda/envs/jupyter/lib/python3.11/site-packages/jupyterlab/staging/yarn.lock nan
20 HIGH CVE-2024-21538 cross-spawn 7.0.3 /opt/conda/envs/jupyter/lib/python3.11/site-packages/jupyterlab/staging/yarn.lock 7.0.5
21 HIGH CVE-2024-21538 cross-spawn 7.0.3 /opt/conda/envs/jupyter/lib/python3.11/site-packages/jupyterlab/tests/mock_packages/test-hyphens-underscore/yarn.lock 7.0.5
22 HIGH CVE-2024-21538 cross-spawn 7.0.3 /opt/conda/envs/jupyter/lib/python3.11/site-packages/jupyterlab/tests/mock_packages/test_no_hyphens/yarn.lock 7.0.5
26 HIGH CVE-2022-25883 semver 7.5.1 /opt/conda/envs/jupyter/lib/python3.11/site-packages/jupyterlab/staging/yarn.lock 7.5.2
27 HIGH CVE-2022-25883 semver 7.5.0 /opt/conda/envs/jupyter/lib/python3.11/site-packages/jupyterlab/staging/yarn.lock 7.5.2
28 HIGH CVE-2022-24785 moment 2.17.1 /opt/conda/envs/jupyter/lib/python3.11/site-packages/jupyterlab/tests/mock_packages/incompat/package.json 1.0.0-alpha.0
29 HIGH CVE-2022-21681 marked 0.3.19 /opt/conda/envs/jupyter/lib/python3.11/site-packages/jupyterlab/tests/mock_packages/incompat/package.json 3.0.0-alpha.0
30 HIGH CVE-2022-21680 marked 0.3.19 /opt/conda/envs/jupyter/lib/python3.11/site-packages/jupyterlab/tests/mock_packages/incompat/package.json 3.0.0-alpha.0
32 HIGH CVE-2017-18214 moment 2.17.1 /opt/conda/envs/jupyter/lib/python3.11/site-packages/jupyterlab/tests/mock_packages/incompat/package.json 0.14.0

Some questions:

  • Is it necessary to include the staging and tests in the jupyterlab Python package?
  • Can I safely remove the files in question without breaking JupyterLab functionality?
  • Could you update the packages in question to eliminate the findings?
2

When evaluating a Jupyter application with these methods, you have to ask whether the security posture you are seeking is even possible when you are asking users to execute arbitrary code in nearly any language, and giving them the ability, by default, to install any package. Even removing some of the useful features which make this easy for a trusted user will not make them hard for a semi-motivated bad actor or their script.

Anyhow:

  • removing tests is probably fine, and indeed, this should be done upstream (along with some other packaging issues).
  • removing staging will break the user application, and likely nothing at all will work, which would be very secure indeed.
    • the specific mermaid finding is a red herring as jupyterlab ships its own version of dompurify.
2 Likes
3

In addition, these dependencies are not used on runtime but only present this for extension development or similar. I recognise that this is difficult for users of automatic scanners to know which dependencies do what and I opened:

From a quick look - only considering the ones in staging:

  • body-parser, path-to-regexp and semver (in versions 7.5.0 and 7.5.1) - used by verdaccio or its dependencies which are only used for testing
  • ip is used by dependencies of node-gyp which would not be used except for extension and core developers or admins using source installation of extensions (users are recommended to only install prebuilt extensions)
  • cross-spawn is used by yarn and dependencies of eslint-plugin-prettier again this is only used by developers using jlpm command
  • mermaid - as in the post above

Once the extension building machinery is fully transferred out of the main package to GitHub - jupyterlab/jupyter-builder: Build tools for JupyterLab (and remixes) the number of false positives will decrease.

Also, just in case: Project Jupyter | Security

1 Like