Fixing ‘Axios Cross-Site Request Forgery Vulnerability’ in Mineflayer Setup

Table of Contents

背景

mineflayerをインストールして、自作botを作成したかったがセットアップ時に依存パッケージが持つ脆弱性と依存関係に起因した問題によってセットアップを完了できなかった

問題の概要

mineflayerパッケージをインストールを進めると依存パッケージの脆弱性に関する警告がnpmから出された

npm install mineflayer

npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated lodash.get@4.4.2: This package is deprecated. Use the optional chaining (?.) operator instead.
npm warn deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm warn deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm warn deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm warn deprecated eslint@7.18.0: This version is no longer supported. Please see https://eslint.org/version-support for other options.
npm warn deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.

added 676 packages, and audited 677 packages in 29s

216 packages are looking for funding
  run `npm fund` for details

4 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

脆弱性の詳細

npm auditの結果から、以下の脆弱性が確認された

npm audit`

# npm audit report

axios  <=1.8.1
Severity: high
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - https://github.com/advisories/GHSA-jr5f-v2jv-69x6
fix available via `npm audit fix --force`
Will install minecraft-protocol@1.26.5, which is a breaking change
node_modules/axios
  @xboxreplay/xboxlive-auth  >=3.0.1
  Depends on vulnerable versions of axios
  node_modules/@xboxreplay/xboxlive-auth
    prismarine-auth  *
    Depends on vulnerable versions of @xboxreplay/xboxlive-auth
    node_modules/prismarine-auth
      minecraft-protocol  1.26.0 || >=1.27.0
      Depends on vulnerable versions of prismarine-auth
      node_modules/minecraft-protocol

4 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

とりあえず言われるがままに進めてみるが・・・

npm warn using --force Recommended protections disabled.
npm error code EUSAGE
npm error
npm error fix can not be used without a package-lock
npm error
npm error Run a security audit
npm error
npm error Usage:
npm error npm audit [fix|signatures]
npm error
npm error Options:
npm error [--audit-level <info|low|moderate|high|critical|none>] [--dry-run] [-f|--force]
npm error [--json] [--package-lock-only] [--no-package-lock]
npm error [--omit <dev|optional|peer> [--omit <dev|optional|peer> ...]]
npm error [--include <prod|dev|optional|peer> [--include <prod|dev|optional|peer> ...]]
npm error [--foreground-scripts] [--ignore-scripts]
npm error [-w|--workspace <workspace-name> [-w|--workspace <workspace-name> ...]]
npm error [-ws|--workspaces] [--include-workspace-root] [--install-links]
npm error
npm error Run "npm help audit" for more info

“fix cannot be used without a package-lock” というエラー警告が出ていたので.npmrcを下記の通り

engine-strict=true
package-lock=false # -> trueに変更

そうすると「とりあえずlockファイル作ってからにせえや」と言われる

npm warn using --force Recommended protections disabled.
npm error code ENOLOCK
npm error audit This command requires an existing lockfile.
npm error audit Try creating one first with: npm i --package-lock-only
npm error audit Original error: loadVirtual requires existing shrinkwrap file

そのため下記を実行し、再びaudit fixを実行

npm i --package-lock-only        
Debugger listening on ws://127.0.0.1:64190/c037efc9-06e3-4112-8285-45fca5a9fd8e
For help, see: https://nodejs.org/en/docs/inspector
Debugger attached.

up to date, audited 677 packages in 4s

216 packages are looking for funding
  run `npm fund` for details

4 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
Waiting for the debugger to disconnect...

npm audit fix --force    
Debugger listening on ws://127.0.0.1:64200/ee0ee40a-64fe-4c72-959b-fc05e85fb210
For help, see: https://nodejs.org/en/docs/inspector
Debugger attached.
npm warn using --force Recommended protections disabled.
npm warn audit Updating minecraft-protocol to 1.26.5, which is a SemVer major change.
npm warn deprecated @azure/msal-node@1.0.0-beta.6: A newer major version of this library is available. Please upgrade to the latest available version.

added 5 packages, removed 4 packages, changed 4 packages, and audited 678 packages in 4s

216 packages are looking for funding
  run `npm fund` for details

# npm audit report

axios  <=1.8.1
Severity: high
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - https://github.com/advisories/GHSA-jr5f-v2jv-69x6
fix available via `npm audit fix --force`
Will install minecraft-protocol@1.55.0, which is outside the stated dependency range
node_modules/axios
  @azure/msal-node  <=1.14.5
  Depends on vulnerable versions of axios
  Depends on vulnerable versions of jsonwebtoken
  node_modules/@azure/msal-node
  @xboxreplay/xboxlive-auth  >=3.0.1
  Depends on vulnerable versions of axios
  node_modules/@xboxreplay/xboxlive-auth
    minecraft-protocol  1.21.0 - 1.25.0 || 1.26.1 - 1.26.5 || 1.27.1
    Depends on vulnerable versions of @xboxreplay/xboxlive-auth
    node_modules/minecraft-protocol

jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix`
node_modules/jsonwebtoken

5 high severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues, run:
  npm audit fix --force
Waiting for the debugger to disconnect...

そして再度audit fixを実行すると、vlunerabilitiesの警告は4つに絞られたっぽい

npm audit fix
Debugger listening on ws://127.0.0.1:64339/c264e00f-1123-4f0c-8dc5-76a254171a61
For help, see: https://nodejs.org/en/docs/inspector
Debugger attached.

up to date, audited 677 packages in 1s

216 packages are looking for funding
  run `npm fund` for details

# npm audit report

axios  <=1.8.1
Severity: high
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - https://github.com/advisories/GHSA-jr5f-v2jv-69x6
fix available via `npm audit fix`
node_modules/axios
  @xboxreplay/xboxlive-auth  >=3.0.1
  Depends on vulnerable versions of axios
  node_modules/@xboxreplay/xboxlive-auth
    prismarine-auth  *
    Depends on vulnerable versions of @xboxreplay/xboxlive-auth
    node_modules/prismarine-auth
      minecraft-protocol  1.26.0 || >=1.27.0
      Depends on vulnerable versions of prismarine-auth
      node_modules/minecraft-protocol

4 high severity vulnerabilities

To address all issues, run:
  npm audit fix
Waiting for the debugger to disconnect...

ここでわかった問題箇所はminecraft-protocol -> prismarine-auth -> xboxlive-auth -> axiosという依存関係と、axiosのバージョンを1.82以降にしなければいけないということ。

原因分析

npm ls axiosコマンドで確認したところ、使用されていたaxiosのバージョンは0.21.4だった。なんぞ。

mineflayer@4.27.0 /Users/USERNAME/mineflayer
└─┬ minecraft-protocol@1.55.0
  └─┬ prismarine-auth@2.7.0
    └─┬ @xboxreplay/xboxlive-auth@3.3.3
      └── axios@0.21.4

そこで一つ上の階層？にある@xboxreplay/xboxlive-authとその依存関係を確認してみると・・・

npm info @xboxreplay/xboxlive-auth dependencies

{ axios: '1.7.9' }

最新バージョンである4.1.0は、axiosの最新バージョン（1.7.9）に依存していることのことがわかった。

この暫定的な対処法として、package.jsonにoverridesフィールドを追加して依存関係を最新バージョンにオーバーライドした:

"overrides": {
  "@xboxreplay/xboxlive-auth": "4.1.0",
  "axios": "1.8.2"
}

既存の依存関係をクリーンアップし、新たにインストールすることで無事バージョンアップが成功した！

rm -rf node_modules package-lock.json && npm install

npm ls axios
mineflayer@4.27.0 /Users/USERNAME/mineflayer
└─┬ minecraft-protocol@1.55.0
  └─┬ prismarine-auth@2.7.0
    └─┬ @xboxreplay/xboxlive-auth@4.1.0 overridden
      └── axios@1.8.2 overridden

Loochs

Fixing ‘Axios Cross-Site Request Forgery Vulnerability’ in Mineflayer Setup

背景

問題の概要

脆弱性の詳細

原因分析

参考リンク