[@expo/plist] update @xmldom/xmldom to address vulnerability

Update @xmldom/xmldom to address this: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom · CVE-2022-37616 · GitHub Advisory Database · GitHub

Hi @janpe

Would you mind clarifying what the vulnerability would allow an attacker to do? My understanding is that xmldom is only used by Expo during the prebuild process. Is this something that could cause problems if someone downloads the source code for a maliciously created Expo app and runs npx expo prebuild?

Hi! I have a habit of keeping dependencies up to date especially when there are mentions of vulnerabilities. I’m not even familiar with what xmldom does, but noticed a warning about this in my project. But feel free to ignore this if if you feel that this is unnecessary.

OK, well, one thing to keep in mind is that Expo uses xmldom only during the build process. It’s not embedded/used in your app (unless you add it as a dependency). It is used for things like adding stuff to AndroidManifest.xml and Info.plist.

So I think the only way it could be a problem is if someone creates an Expo app with some malicious source code and then convinces someone to run npx expo prebuild or npx expo run (which calls prebuild) or eas build (which calls prebuild. If they use the --local option it will run the build on their own machine. Otherwise it will be run on one of the build servers).

I had a look at the description of the bug and have a vague ides of what the problem was, but I don’t know how it can be exploited, so I can’t say how likely the above scenario is.

But npx expo prebuild can run arbitrary JavaScript code anyway. And with build lifecycle hooks they could run any arbitrary commands that happen to be available. Also, when you install JS dependencies they can run post-install scripts which is again arbitrary code, basically. (See GitHub - naugtur/can-i-ignore-scripts)

Also, if someone wants to exploit you via @xmldom/xmldom they could reference an older version of it in their dependencies before convincing you to download it and run npx expo prebuild.

Note: I am just another Expo user. I don’t know what the Expo team thinks about this.

EDIT: See also: https://twitter.com/dan_abramov/status/1412776197528997894

Seems to be updated now :+1:

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.