Vulnerable version of redoc package

[mhv-trackunit]

We have found out, that the version of redoc in airflow/www/package.json is set to “^2.0.0-rc.72”, which seems to have a prototype pollution vulnerability.
A link to Snyk documentation on the issue: https://security.snyk.io/vuln/SNYK-JS-REDOC-8664933

[potiuk]

Yes - this is public information - redoc has this vulnerabily,

Do you think airlfow is vulnerable and have a reproduction scenario? Then follow the security policy https://github.com/apache/airflow/security/policy and report it - including the scenario where it can be used to make harm. We would love to see such report - can you help with it plese @mhv-trackunit since you are interested in it? or maybe your company could pay security reserchers to investigate it? We would love to be able to get more insight

[mhv-trackunit]

I don't have a specific vulnerable scenario, it was just something that our Snyk has picked up and I wanted to share.

[potiuk]

I think if anyone wants to share every single of 70-0+ Python and about 1000+ of javascript dependencies of airflow would like to share it in discussions - then our discussions will be useless because we would have 10s of those a week. And vulnerebility scanners are available for everyone - I am not sure what value is with publicly stating public CVE in a dependency which no-one knows if it affects airflow or not.

On the other hand, if you your company would like to invest time and effort in analysing if such vulnerability affects airflow and show a relevant scenario (and report it responsibly and privately), then yes, there is a huge value in it and we warmly welcome people who would like to give back for the free software they get from this community.

When we make Airlfow releases - we regularly upgrade to latest possible non-vulnerable (hopefully) versions of dependencies usually when we release - so if you are worried about it, you should wait for next release (and in Airflow 3 I think we have no redoc at all, so you might just wait for Airlfow 3).

If however you checked and found out that the vulnerability in a 3rd-party dependency actually "affects" airflow and can be exploited and is dangerous, we would definitely appreciate privately reporting it. Just reporing "there is a vulnerability somewhere and we have no idea if it affects you" in airflow repo makes very little sense, add noise and confusion.

I woudl really appreciate if this is the default thiking here. Publishing "hey there is a vulnerability in this and that AND this is how you can exploit it" reported privately, rather than polluting our discussions with such posts.