Severe security vulnerability

[samueltlg]

Hi there,

I intend to use this package in production eventually, but it contains a severe security vulnerability (https://nodesecurity.io/advisories/551#) because it uses a version of math-js less than 3.17.0 which allows arbitrary code execution. Any chance of this being amended easily?

Thanks,
Sam

[evykassirer]

Hi Sam!

Yes, I've been hoping to update this, but am not sure if the new version of mathjs works. However I've been prioritizing non mathsteps things for a bit, and probably can't get to looking into this until August.

If you can make a fork and update mathjs and all the tests pass, please submit a PR with the update! If there's more complications (some tests failing), I can help investigate with you (August preferred, but if you have time constraints I can squeeze it in earlier).

Exciting that you're using it in production! I'd love to hear what you're making with it :)

[samueltlg]

Hi there Evy,

Thank you for responding and for the update! That is quite alright (that you’re not looking to update math-js in the near future) - and I may get round to, in a few weeks, to implementing a later version of math-js in the math-steps repo. Although, admittedly, I’m not the biggest fan of math-js! The library seems overly large in size (over 500kb), and is perhaps quite outdated.. I did think I saw a comment in one of the files in this repo of you or someone mentioning that you had considered implementing your own parser, since it didn’t seem to do exactly what is wanted..
Anyway, hopefully the implementation of mathjs is not too deep and ubiquitous (?), and hopefully the changes from the earlier to the current
version are not too many, so it will not be too difficult to update.

With regards to what will perhaps use math-steps - I’m working on implementing a math worksheet generator here in the UK, covering an expanse of worksheets, that implement ‘variation theory’ in the generation of questions; meaning that, unlike typical formulaic math-question generation (based on mostly randomness and perhaps a bit of difficulty incrementation), there is a well-thought out process directing the jump from question-to-question within a worksheet (let’s say, linear equations), allowing a sensible level of difficulty progression, and the elimination of clunky randomness where possible. The whole aim of the project is to act as a resource for teachers and schools for the quick deployment of holistic, sensible worksheets during classroom hours. And maths-steps sounds like something interesting to implement later down the line!

[evykassirer]

yes! I'd love to update to math-parser but the transition is also a huge process haha, which I've paused on for now (it's really close to being done but Kevin - who is working on the parser - and I got busy and prioritized open source stuff less than we used to)

oh very neat!! awesome to hear about ways mathsteps can be used, and about ways you're making worksheets more useful to students ^_^

[nopeless]

this issue is 4 years old what

[nopeless]

please fix this

im going to use a fork for now