Usage of debug package

[Avishagp]

Hi @tomas,

One of needle's dependencies is the debug package (used solely in needle.js).

Lately an issue posted in debug package showing there's a critical bug in the package:
User defined window.localStorage.debug could flow into new Regex() function, leading to a Regular Expression Injection.

Since the usage of debug in needle is so minimal, could you switch to using the native util.debuglog option?
It offers the exact same usage needle needs. It'd also mean one less dependency in needle.

Thank you,
Avishag

[tomas]

That would mean losing support for Node versions prior to v0.11.3. I'm not sure if that's the way to go.

Can you provide an example where the debug issue could be exploited in the context of a program using needle?

[vsridhars]

Hi,

Wanted to check if moving to a debug 4.3.x version would be possible.
Similar audit concerns are getting flagged by parsing tools.

[cmotsn]

@tomas Hi!
2023 update: the usage of debug 3.2.7 is still flagged by security tools due to a memory leak error which can be exploited (see example section in this page)

That memory leak was fixed in debug 4.3.0 in 2020. There doesn't seem to be any backport of the fix, so this would imply using the 4.x.x version of debug, which dropped support for Node 4 and Node 5.

Upgrading to debug 4.3.x would fix this vulnerability (and also the one mentioned in the original Issue post).

[tomas]

I think I'm more inclined to replace the debug package with util.debuglog as @Avishagp sugested in the first place. Would that be OK?

[cmotsn]

It would certainly remove any past and future vulnerabilities from the debug package :)

[tomas]

Would you submit a PR for this? 🙏

[cmotsn]

I can try on the weekend but as a disclaimer, I do not know the needle client nor am I very familiar with NodeJS X)