Hawk, a widely-used npm package for HTTP Hawk authentication, saw a minor version update from 3.1.2 to 3.1.3. While seemingly small, understanding the nuances between these versions can be crucial for developers who rely on Hawk for secure communication. Examining the package manifests reveals no changes in core dependencies like hoek, boom, cryptiles, and sntp, which handle utilities, HTTP error objects, cryptographic tools, and SNTP client functionality respectively. Similarly, development dependencies code and lab, used for testing, remain consistent.
The license, repository, and author information are unchanged, indicating no shift in licensing terms or maintainership. The primary difference lies in the version number itself and the releaseDate. Version 3.1.3 was released on January 21, 2016, a couple of months after version 3.1.2 which got released on November 19, 2015. This suggests a potential bug fix, performance improvement, or very minor feature enhancement introduced in the interim.
Developers should always consult the official Hawk changelog or release notes for a detailed breakdown of modifications in version 3.1.3. It's advisable to review these changes before upgrading, especially in production environments, to ensure compatibility and prevent unexpected issues. Even a minor version bump can introduce subtle alterations that might impact existing integrations. If the changelog is unavailable or sparse, carefully assessing the package source code differences using a diff tool is recommended to understand the code-level modifications. Given the absence of dependency updates, the upgrade should ideally be seamless if the changes are limited to internal optimizations or bug resolutions.
All the vulnerabilities related to the version 3.1.3 of the package
Uncontrolled Resource Consumption in Hawk
Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse Host HTTP header (Hawk.utils.parseHost()), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. parseHost() was patched in 9.0.1 to use built-in URL class to parse hostname instead.Hawk.authenticate() accepts options argument. If that contains host and port, those would be used instead of a call to utils.parseHost().
Prototype Pollution in hoek
Versions of hoek prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.
The merge function, and the applyToDefaults and applyToDefaultsWithShallow functions which leverage merge behind the scenes, are vulnerable to a prototype pollution attack when provided an unvalidated payload created from a JSON string containing the __proto__ property.
This can be demonstrated like so:
var Hoek = require('hoek');
var malicious_payload = '{"__proto__":{"oops":"It works !"}}';
var a = {};
console.log("Before : " + a.oops);
Hoek.merge({}, JSON.parse(malicious_payload));
console.log("After : " + a.oops);
This type of attack can be used to overwrite existing properties causing a potential denial of service.
Update to version 4.2.1, 5.0.3 or later.
hoek subject to prototype pollution via the clone function.
hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the proto key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1.