Replace archived lz4 package with actively maintained lz4-napi

The lz4 npm package (pierrec/node-lz4) is archived and bundles
liblz4 v1.9.2, which is vulnerable to CVE-2021-3520 (CVSS 9.8).
Replace it with lz4-napi, which uses Rust/napi-rs bindings and
supports the LZ4 frame API required for result decompression.

Resolves: SEC-15865, PECO-2020

Author: jayantsing-db

lib/result/ArrowResultHandler.ts

@@ -27,7 +27,7 @@ export default class ArrowResultHandler implements IResultsProvider<ArrowBatch>
     this.isLZ4Compressed = lz4Compressed ?? false;
 
     if (this.isLZ4Compressed && !LZ4()) {
-      throw new HiveDriverError('Cannot handle LZ4 compressed result: module `lz4` not installed');
+      throw new HiveDriverError('Cannot handle LZ4 compressed result: module `lz4-napi` not installed');
     }
   }
 

lib/result/CloudFetchResultHandler.ts

@@ -28,7 +28,7 @@ export default class CloudFetchResultHandler implements IResultsProvider<ArrowBa
     this.isLZ4Compressed = lz4Compressed ?? false;
 
     if (this.isLZ4Compressed && !LZ4()) {
-      throw new HiveDriverError('Cannot handle LZ4 compressed result: module `lz4` not installed');
+      throw new HiveDriverError('Cannot handle LZ4 compressed result: module `lz4-napi` not installed');
     }
   }
 

lib/utils/lz4.ts

@@ -1,10 +1,16 @@
-import type LZ4Namespace from 'lz4';
-
-type LZ4Module = typeof LZ4Namespace;
+interface LZ4Module {
+  encode(data: Buffer): Buffer;
+  decode(data: Buffer): Buffer;
+}
 
 function tryLoadLZ4Module(): LZ4Module | undefined {
   try {
-    return require('lz4'); // eslint-disable-line global-require
+    // eslint-disable-next-line global-require
+    const lz4napi = require('lz4-napi');
+    return {
+      encode: lz4napi.compressFrameSync,
+      decode: lz4napi.decompressFrameSync,
+    };
   } catch (err) {
     if (!(err instanceof Error) || !('code' in err)) {
       // eslint-disable-next-line no-console

package.json

@@ -49,7 +49,6 @@
   "devDependencies": {
     "@types/chai": "^4.3.14",
     "@types/http-proxy": "^1.17.14",
-    "@types/lz4": "^0.6.4",
     "@types/mocha": "^10.0.6",
     "@types/node": "^18.11.9",
     "@types/node-fetch": "^2.6.4",
@@ -89,6 +88,6 @@
     "winston": "^3.8.2"
   },
   "optionalDependencies": {
-    "lz4": "^0.6.5"
+    "lz4-napi": "^2.9.0"
   }
 }

tests/unit/result/ArrowResultHandler.test.ts

@@ -1,6 +1,6 @@
 import { expect } from 'chai';
 import Int64 from 'node-int64';
-import LZ4 from 'lz4';
+import { compressFrameSync } from 'lz4-napi';
 import ArrowResultHandler from '../../../lib/result/ArrowResultHandler';
 import ResultsProviderStub from '../.stubs/ResultsProviderStub';
 import { TRowSet, TSparkArrowBatch, TStatusCode, TTableSchema } from '../../../thrift/TCLIService_types';
@@ -39,7 +39,7 @@ const sampleRowSet1LZ4Compressed: TRowSet = {
   rows: [],
   arrowBatches: sampleRowSet1.arrowBatches?.map((item) => ({
     ...item,
-    batch: LZ4.encode(item.batch),
+    batch: compressFrameSync(item.batch),
   })),
 };
 

tests/unit/result/CloudFetchResultHandler.test.ts

@@ -1,7 +1,7 @@
 import { expect, AssertionError } from 'chai';
 import sinon, { SinonStub } from 'sinon';
 import Int64 from 'node-int64';
-import LZ4 from 'lz4';
+import { compressFrameSync } from 'lz4-napi';
 import { Request, Response } from 'node-fetch';
 import { ShouldRetryResult } from '../../../lib/connection/contracts/IRetryPolicy';
 import { HttpTransactionDetails } from '../../../lib/connection/contracts/IConnectionProvider';
@@ -306,7 +306,7 @@ describe('CloudFetchResultHandler', () => {
 
     context.invokeWithRetryStub.callsFake(async () => ({
       request: new Request('localhost'),
-      response: new Response(LZ4.encode(expectedBatch), { status: 200 }),
+      response: new Response(compressFrameSync(expectedBatch), { status: 200 }),
     }));
 
     expect(await rowSetProvider.hasMore()).to.be.true;

tests/unit/utils/lz4.test.ts

@@ -22,14 +22,16 @@ describe('lz4 module loader', () => {
     });
   });
 
-  const mockModuleLoad = (lz4MockOrError: unknown): { restore: () => void; wasLz4LoadAttempted: () => boolean } => {
+  const mockModuleLoad = (
+    lz4MockOrError: unknown,
+  ): { restore: () => void; wasLz4LoadAttempted: () => boolean } => {
     // eslint-disable-next-line global-require
     const Module = require('module');
     const originalLoad = Module._load;
     let lz4LoadAttempted = false;
 
     Module._load = (request: string, parent: unknown, isMain: boolean) => {
-      if (request === 'lz4') {
+      if (request === 'lz4-napi') {
         lz4LoadAttempted = true;
         if (lz4MockOrError instanceof Error) {
           throw lz4MockOrError;
@@ -53,19 +55,19 @@ describe('lz4 module loader', () => {
     return require('../../../lib/utils/lz4');
   };
 
-  it('should successfully load and use lz4 module when available', () => {
-    const fakeLz4 = {
-      encode: (buf: Buffer) => {
+  it('should successfully load and use lz4-napi module when available', () => {
+    const fakeLz4Napi = {
+      compressFrameSync: (buf: Buffer) => {
         const compressed = Buffer.from(`compressed:${buf.toString()}`);
         return compressed;
       },
-      decode: (buf: Buffer) => {
+      decompressFrameSync: (buf: Buffer) => {
         const decompressed = buf.toString().replace('compressed:', '');
         return Buffer.from(decompressed);
       },
     };
 
-    const { restore } = mockModuleLoad(fakeLz4);
+    const { restore } = mockModuleLoad(fakeLz4Napi);
     const moduleExports = loadLz4Module();
     const lz4Module = moduleExports.default();
     restore();
@@ -82,8 +84,8 @@ describe('lz4 module loader', () => {
     expect(consoleWarnStub.called).to.be.false;
   });
 
-  it('should return undefined when lz4 module fails to load with MODULE_NOT_FOUND', () => {
-    const err: NodeJS.ErrnoException = new Error("Cannot find module 'lz4'");
+  it('should return undefined when lz4-napi module fails to load with MODULE_NOT_FOUND', () => {
+    const err: NodeJS.ErrnoException = new Error("Cannot find module 'lz4-napi'");
     err.code = 'MODULE_NOT_FOUND';
 
     const { restore } = mockModuleLoad(err);
@@ -95,7 +97,7 @@ describe('lz4 module loader', () => {
     expect(consoleWarnStub.called).to.be.false;
   });
 
-  it('should return undefined and log warning when lz4 fails with ERR_DLOPEN_FAILED', () => {
+  it('should return undefined and log warning when lz4-napi fails with ERR_DLOPEN_FAILED', () => {
     const err: NodeJS.ErrnoException = new Error('Module did not self-register');
     err.code = 'ERR_DLOPEN_FAILED';
 
@@ -109,7 +111,7 @@ describe('lz4 module loader', () => {
     expect(consoleWarnStub.firstCall.args[0]).to.include('Architecture or version mismatch');
   });
 
-  it('should return undefined and log warning when lz4 fails with unknown error code', () => {
+  it('should return undefined and log warning when lz4-napi fails with unknown error code', () => {
     const err: NodeJS.ErrnoException = new Error('Some unknown error');
     err.code = 'UNKNOWN_ERROR';
 
@@ -136,13 +138,13 @@ describe('lz4 module loader', () => {
     expect(consoleWarnStub.firstCall.args[0]).to.include('Invalid error object');
   });
 
-  it('should not attempt to load lz4 module when getResolvedModule is not called', () => {
-    const fakeLz4 = {
-      encode: () => Buffer.from(''),
-      decode: () => Buffer.from(''),
+  it('should not attempt to load lz4-napi module when getResolvedModule is not called', () => {
+    const fakeLz4Napi = {
+      compressFrameSync: () => Buffer.from(''),
+      decompressFrameSync: () => Buffer.from(''),
     };
 
-    const { restore, wasLz4LoadAttempted } = mockModuleLoad(fakeLz4);
+    const { restore, wasLz4LoadAttempted } = mockModuleLoad(fakeLz4Napi);
 
     // Load the module but don't call getResolvedModule
     loadLz4Module();