Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Addressing security vulnerability in System.Text.Json 4.X version #68931

Closed
avanigupta opened this issue May 5, 2022 · 15 comments
Closed

Addressing security vulnerability in System.Text.Json 4.X version #68931

avanigupta opened this issue May 5, 2022 · 15 comments
Labels
area-System.Text.Json question Answer questions and provide assistance, not an issue with source code or documentation.

Comments

@avanigupta
Copy link
Contributor

avanigupta commented May 5, 2022

Is there any plan to release a new 4.X version of System.Text.Json due to the security vulnerability reported here: #49377

The latest 4.X version of System.Text.Json is v4.7.2 but that version still depends on System.Text.Encodings.Web v4.7.1, which has the security vulnerability: https://www.nuget.org/packages/System.Text.Json/4.7.2

We have a dependency on System.Text.Json v4.6.0 and we cannot introduce breaking changes by upgrading to 5.X version.
What would be the best way to address this issue?

@ghost ghost added the untriaged New issue has not been triaged by the area owner label May 5, 2022
@dotnet-issue-labeler dotnet-issue-labeler bot added area-System.Text.Json and removed untriaged New issue has not been triaged by the area owner labels May 5, 2022
@ghost
Copy link

ghost commented May 5, 2022

Tagging subscribers to this area: @dotnet/area-system-text-json, @gregsdennis
See info in area-owners.md if you want to be subscribed.

Issue Details

Is there any plan to release a new 4.X version on System.Text.Json due to the security vulnerability reported here: #49377

The latest 4.X version of System.Text.Json is v4.7.2 but that version still depends on System.Text.Encodings.Web v4.7.1, which has the security vulnerability: https://www.nuget.org/packages/System.Text.Json/4.7.2

We have a dependency on System.Text.Json v4.6.0 and we cannot introduce breaking changes by upgrading to 5.X version.
What would be the best way to address this issue?

Author: avanigupta
Assignees: -
Labels:

area-System.Text.Json

Milestone: -

@huoyaoyuan
Copy link
Member

We have a dependency on System.Text.Json v4.6.0 and we cannot introduce breaking changes by upgrading to 5.X version.

The supported framework is the same for 5.0.X. Do you mean any behavioral breaking change that's unacceptable?

I believe you can add a direct reference of System.Text.Encodings.Web in your project and select a non-vulnerable version.

@eiriktsarpalis
Copy link
Member

Is there any plan to release a new 4.X version of System.Text.Json due to the security vulnerability reported here: #49377

Most likely not, the suggested workaround is to explicitly increment the version number of the impacted package.

Echoing @huoyaoyuan's question, are there any specific breaking changes blocking your transition to the v5 package?

@eiriktsarpalis eiriktsarpalis added the question Answer questions and provide assistance, not an issue with source code or documentation. label May 6, 2022
@avanigupta
Copy link
Contributor Author

We use System.Text.Json v4.6.0 in our Microsoft.Extensions.Configuration.AzureAppConfiguration package. If we decide to upgrade System.Text.Json to 5.X version, we'll have to bump up the major version of our library. Since this is a security vulnerability, we were hoping to release the fix quickly as a minor version upgrade so that users can start using the new version without worrying about breaking changes.

@eiriktsarpalis
Copy link
Member

Can't the Microsoft.Extensions.Configuration.AzureAppConfiguration package explicitly list System.Text.Encodings.Web v4.7.2 as a dependency?

@avanigupta
Copy link
Contributor Author

We can do that, but that's more of a workaround than a real solution.
Is the 4.X train of System.Text.Json out of support now? If not, it seems like this vulnerability should be addressed for anyone using the 4.X versions.

@eiriktsarpalis
Copy link
Member

cc @ericstj

@jimmyca15
Copy link
Member

@eiriktsarpalis @ericstj

Is the 4.x package versions of System.Text.Json still being supported / still receiving any possible security updates?

@eiriktsarpalis
Copy link
Member

.NET Core 3.1 will be supported until December this year, so any servicing updates should surface as 4.x package updates.

@jimmyca15
Copy link
Member

@eiriktsarpalis

I see thanks. Doesn't the package being supported mean that it should release an update if it has a dependency on a vulnerable package?

@ericstj
Copy link
Member

ericstj commented May 12, 2022

4.6.0 is from the release wave of .NET Core 3.0 and is out of support. 4.7.2 is from .NET Core 3.1 and is still serviced.

We don't currently force updates transitively when one component is updated. We don't consider it a security vulnerability in System.Text.Json that its dependency System.Text.Encodings.Web had a security vulnerability. System.Text.Json does not redistribute the vulnerability, it references a package which can be updated. At the limit -- we don't expect the entire NuGet ecosystem to churn when one component has an update.

If System.Text.Json 4.7.x happens to ship again for other servicing it should update the dependency at that time, but there is no planned update for this that I am aware of.

The fix, which should not be considered a workaround, is to reference the newer version of System.Text.Encodings.Web in any project which might transitively reference it and execute code.

@jimmyca15
Copy link
Member

@ericstj

Thank you for clarifying.

@GrabYourPitchforks
Copy link
Member

Generally speaking, the position of the .NET team has been that we do not issue patches for non-vulnerable packages. The package System.Text.Json itself is not vulnerable and does not consume vulnerable functionality. The package System.Text.Encodings.Web was the vulnerable package, and a patch has been issued for it. The solutions we have been promoting are solutions where the application itself upgrades the version of the vulnerable package, since the application is the ultimate arbiter of what gets packaged as a single unit of deployment.

The NuGet team has been considering gestures which allow applications to self-remediate. This is the preferred mechanism from our perspective, since it does not require re-shipping the entire ecosystem and invalidating existing packages every time a single dependency updates. See NuGet/Home#11549 for further discussion on this.

@eiriktsarpalis
Copy link
Member

Closing as answered.

@ericstj
Copy link
Member

ericstj commented May 13, 2022

@ViktorHofer just shared this new feature with me and I think it really helps in this scenario: https://devblogs.microsoft.com/nuget/introducing-central-package-management/#transitive-pinning

Have a look at this gist https://gist.github.com/ericstj/1b9aab17e6701cda6e7f054a53fed9e3
You can see that by centrally managing your packages you can control the version of the transitive dependency without having to mention it in the project that uses it's parent. Nuget also will automatically list it in the nuspec so that folks consuming your package get the same behavior regardless of if they use that feature or not. Nice work @jeffkl!

@ghost ghost locked as resolved and limited conversation to collaborators Jun 13, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area-System.Text.Json question Answer questions and provide assistance, not an issue with source code or documentation.
Projects
None yet
Development

No branches or pull requests

6 participants