Reaction Commerce v2.0.0-rc.7 Release Notes

Release Date: 2018-11-27 // over 3 years ago
  • v2.0.0-rc.7

    πŸš€ Security Release

    πŸš€ This security release addresses to potential vulnerabilities

    πŸ”§ We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured. More details on this issue below.

    βœ‚ Remove dependency on event-stream

    Event Stream Dependency Removal

    🚚 This fix removes a dependency on event-stream introduced by nodemon via pstree by bumping nodemon and pstree.remy through nodemon to a version that does not include pstree.

    🚚 event-stream had a malicious bit of code added to version 3.3.6 which has since been removed from github and appears to have specifically targeted copay.

    From the original post in the event-stream repo:

    Am I affected?:
    πŸ‘€ > If you are using anything crypto-currency related, then maybe. As discovered by @maths22, the target seems to have been identified as copay related libraries. It only executes successfully when a matching package is in use (assumed to by copay at this point). If you are using a crypto-currency related library and if you see [email protected] after running npm ls event-stream flatmap-stream, you are most likely affected. For example:

    $ npm ls event-stream flatmap-stream ... [email protected] ...

    What does it do :
    πŸ›° > Other users have done some good analysis of what these payloads actually do.
    dominictarr/event-stream#116 (comment)
    dominictarr/event-stream#116 (comment)
    dominictarr/event-stream#116 (comment)

    What can I do:
    πŸš€ > By this time fixes are being deployed and npm has yanked the malicious version. Ensure that the developer(s) of the package you are using are aware of this post. If you are a developer update your event-stream dependency to [email protected]. This protects people with cached versions of event-stream.

    πŸ“¦ Snyk has a great writeup about this issue in their blog: https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream.

    πŸ‘€ See the issue on the event-stream repo for more information: dominictarr/event-stream#116

    Reaction Social Issue Overview

    πŸš€ This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.

    Vulnerability

    πŸ”§ | oAuth Service Configuration Publication Vulnerability | | Severity | High | | Description | oAuth social plugin secrets could be shared with unauthenticated users via a publication. | | Affected Installations | Any shops with a configured Facebook appSecret in the Reaction Social dashboard. | | Affected Versions | All versions greater or equal to v0.5.3 | | Remediation | Apply patch or upgrade to patched version of Reaction Commerce. |

    Patches

    πŸš€ Patches are attached to this release.

    πŸ”’ Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.

    πŸ’» Patch files for removing the UI dependent on software version
    πŸ’» fb-app-secret-ui-{version-number}-2018-11-19.patch

    πŸ”– Version specific migration patch file for removing the appSecret from the database
    fb-app-secret-migration-{version-number}-2018-11-19.patch

    Recommendations

    Option 1: Install patched version of Reaction Commerce

    βœ… If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.

    Invalidate Existing Secrets

    If you had a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.

    Generate New Secrets

    If you used this App Secret in any other applications or for Facebook oAuth login within Reaction Commerce, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.