Does Rstudio use web-pack nodejs package prior to 5.76.0? (cybersecurity)

RGIS · October 31, 2023, 7:53pm

So I don't want to create any panic. I am not a cybersecurity expert.

Recap: The latest versions of Rstudio desktop do not seem to be installing correctly as myself and a few others have noticed - link to the earliest post . In my case, I immediately noticed the cause was related to anti-virus.

So I compared major version. I found changes made to the version of webpack used between Rstudio versions based on the lock file. If Rstudio is using webpack then what version is it using? I am not 100% sure... but I think its using version 5.69.0 or 5.72.0. I discovered that webpack has a cybersecurity vulnerability for versions prior to 5.76.0. This is the CVE page:

The file is so large that I am having trouble loading the file. So below as code is the line numbers that I found the issue:

Dependencies that changed between versions that I have found so far:

https://github.com/rstudio/rstudio/blob/main/src/node/desktop/package-lock.json

Line 35
"fork-ts-checker-webpack-plugin": "8.0.0",
Line 7232
"webpack": "^5.11.0"
Line 833 - 835

"webpack-dev-server": "^4.0.0",
"webpack-merge": "^5.7.3"

Lines 15079 - 15081 and Lines 27209 - 27212

"node_modules/webpack": {
      "version": "5.72.1",
      "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.72.1.tgz",

Line 16413
"webpack": "^5.69.1",

Other lines that use webpack

Lines 4332
"webpack": "^5.1.0"
Line 4493
"webpack": "^5.0.0"
Line 8363
"webpack": "^5.20.0"
Line 11110
"webpack": "^5.0.0"
Line 14066
"webpack": "^5.0.0"
Line 14554
"webpack": "^5.0.0"
LIne 15021
"webpack": "^4.1.0 || ^5.0.0-0"

technocrat · November 1, 2023, 6:44am

If I understand correctly how this all works, that’s the one most worrying. The 5 major should pull the 5.76.0 or later, but I'm not entirely sure. The 4 major won't go on to 5 major. But I don't know how major 4 vs major 5 is selected. I didn't see this as a current open issue on the github repo but got a vague impression that it might be a Fedora-specific config. I checked the local install /Applications/RStudio.app/Contents/Resources/app-arm64/package-json and didn't see anything there. In the /Applications/RStudio.app/Contents/Resources/app-arm64/.webpack/main because it's minified.

I'm not the guy to file the issue on github, which is probably the best way to find out. Come back on whether you will be filing?

RGIS · November 1, 2023, 1:55pm

Yep, I already have an open github issue on Rstudio. I just not a cybersecurity expert, so I figured its better to ask questions then assume.

github.com/rstudio/rstudio

[Bug] Cybersecurity Concern with Rstudio Desktop 2023.09.01 and 2023.09.1+494

opened 11:19PM - 30 Oct 23 UTC

mlane3

bug support startup

I saw that no one had yet report a fatal JavaScript bug with the RStudio IDE ver…sion 2023.09.01 and later. I believe part of the reason why may be due to the very nature of the bug itself preventing a full bug report from generating. **What is the shell or batch code for diagnostics.exe so the code can be manually run line by line in order to generate a diagnostics report?** ### System details RStudio Edition: Desktop RStudio Version: (multiple) 2023.09.01 and 2023.09.1+494 OS Version: (multiple) Windows 10 22H2, Windows Server 2016 VM, Windows Server 2019 VM, R Version: (multiple) [R 4.2.3], [R 4.3.1], and [R 4.3.0] ### Steps to reproduce the problem (known so far) 1. Have a machine with antivirus besides windows defender that can log actions. 2. Have machine with the old version of Rstudio installed like 2023.06.2 - 561. Make sure Rstudio is able to work by installing packages, removing packages, setting up projects etc. This way there are no firewall issues. Then uninstall the old version of Rstudio. 3. Install the latest version of Rstudio 4. Get Picture of crash as the diagnostics report is not generating. ### Describe the problem in detail This is a bug that multiple people have reported in detail on the community website: - https://community.rstudio.com/t/javascript-error-causes-rstudio-to-fail-to-install-2023-09-1-494-corruption-of-dock-node/176190 - https://community.rstudio.com/t/a-javascript-error-occurred-in-the-main-process-uncaught-exception-error-cannot-find-module/174990 - https://community.rstudio.com/t/updated-rstudio-to-2023-09-01-now-launch-fails-because-of-a-missing-javascript-module/174886 The bug at least for me seems to be a cybersecurity issue with files **unix_dgram.node** and **dock.node**. When you install software, all anti-viruses check to see there are any virus's in the installed files. Unlike the Antivirus my organization uses, Windows Defender does a poor job logging every file it will quarantine/delete. I wish I could tell you more than that, but this is all the information I know so far. The crash is so fatal that diagnostics report fails to be able to be generated, but the session logs and desktop session logs are generated, so they are included in the next post - [x] I am unable to include an automated [diagnostics report](https://support.posit.co/hc/en-us/articles/200321257-Running-a-Diagnostics-Report) because the bug **also crashes the diagnostics report**. Log files have been provided in hopes they can provide more insight. - [x] I have read the guide for [submitting good bug reports](https://github.com/rstudio/rstudio/wiki/Writing-Good-Bug-Reports). The guide fails to account for cybersecurity bug reports. - [x] I have installed the latest version of RStudio, and confirmed that the issue still persists. - [x] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

Right now the latest version of Rstudio won't install. In order to get the latest version of Rstudio installed, I need to show to evidence to my cybersecurity that the antivirus flagging either a false positive or if there is a legitimate concern that the developer has put out a patch for the issue. So, in a way, I kind of have to bring up a github issue.

Well, you know more about it than me for sure. As we are both not sure, I just will bring up Line 15021 as a possible typo, and Lines 15079 - 15081 to them. Thanks for the help figuring out how to bring it up.

tmok · November 9, 2023, 10:03pm

The dependency is now at 5.89.0. https://github.com/rstudio/rstudio/blob/6b9436f529581d79c43abbea8cb08a0f6a3cdd60/src/node/desktop/package-lock.json#L13848

The package-lock.json file specifies the exact version to use. It is a generated file from npm, the package manager. The line with 5.72.1 is what would be installed at build time. The other entries are what other dependencies specify the version that could be used. One of the other dependencies must have been holding back webpack to an older version. webpack is a dev dependency and is not shipped with RStudio. The CVE describes the attack vector is from using webpack magic comments, which this feature is not used to build RStudio.

As mentioned in the Github issue, RStudio failed to open because anti-virus software quarantined some files. It is not surprising that it crashed without those files. It's akin to removing a DLL and expecting a program to launch without any problems.

RGIS · November 22, 2023, 2:58am

Thanks for letting us know its updated

system · January 3, 2024, 2:58am

This topic was automatically closed 42 days after the last reply. New replies are no longer allowed.

If you have a query related to it or one of the replies, start a new topic and refer back with a link.