Sign upLogin

adam-26/tag-relativeformat

View on GitHub
Star
package-lock.json

Summary

Maintainability
Test Coverage

growl Command Injection
Open

    "growl": {
      "version": "1.9.2",
      "resolved": "https://registry.npmjs.org/growl/-/growl-1.9.2.tgz",
      "integrity": "sha1-Dqd0NxXbjY3ixe3hd14bRayFwC8=",
      "dev": true
Severity: Minor
Found in package-lock.json by nodesecurity

Command Injection

Overview:

Growl adds growl notification support to nodejs.

Growl does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.

Recommendation:

Update to version 1.10.2 or greater

fresh Regular Expression Denial of Service
Open

    "fresh": {
      "version": "0.3.0",
      "resolved": "https://registry.npmjs.org/fresh/-/fresh-0.3.0.tgz",
      "integrity": "sha1-ZR+DjiJCTnVm3hYdg1jKoZn4PU8=",
      "dev": true
Severity: Minor
Found in package-lock.json by nodesecurity

Regular Expression Denial of Service

Overview:

Fresh is a module used by the Express.js framework for 'HTTP response freshness testing'. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

Recommendation:

If you are using this module via express, upgrade to Express version 4.15.5 or greater.

Upgrade to 0.5.2 or greater

mime Regular Expression Denial of Service
Open

    "mime": {
      "version": "1.3.4",
      "resolved": "https://registry.npmjs.org/mime/-/mime-1.3.4.tgz",
      "integrity": "sha1-EV+eO2s9rylZmDyzjxSaLUDrXVM=",
      "dev": true
Severity: Minor
Found in package-lock.json by nodesecurity

Regular Expression Denial of Service

Overview:

The mime module is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Recommendation:

Upgrade to version 2.0.3 or greater.

cli Arbitrary File Write
Open

    "cli": {
      "version": "0.6.6",
      "resolved": "https://registry.npmjs.org/cli/-/cli-0.6.6.tgz",
      "integrity": "sha1-Aq1Eo4Cr8nraxebwzdewQ9dMU+M=",
      "dev": true,
Severity: Minor
Found in package-lock.json by nodesecurity

Arbitrary File Write

Overview:

lock_file = '/tmp/' + cli.app + '.pid',
log_file = '/tmp/' + cli.app + '.log';

The package node-cli insecurely uses the lockfile and logfile. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.

Recommendation:

Update to version 1.0.0 or later

shell-quote Potential Command Injection
Open

    "shell-quote": {
      "version": "0.0.1",
      "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-0.0.1.tgz",
      "integrity": "sha1-GkEZbzwDM8SCMjWT1ohuzxU92YY=",
      "dev": true
Severity: Minor
Found in package-lock.json by nodesecurity

Potential Command Injection

Overview:

The npm module "shell-quote" cannot correctly escape ">" and "<" operator used for redirection in shell. I'm wondering if this might be possible vulnerability for many application which depends on shell-quote.

For example:

const quote = require('shell-quote').quote; console.log(quote(['foo>bar']));

will print "foo>bar", where "foo>bar" is desirable.

This module is downloaded more than 1M times per month and many other modules are depending on this. If an application is escaping command-line args with this module, they might be vulnerable from malicious user input.

For example: ``` var sq = require('../tests/get/shell-quote-1.6.0'); var exec = require('child_process').exec;

var pattern = process.argv[2];

command = sq.quote(['grep', pattern])); exec('cat file | ' + command, function ( err, stdout, stderr) { console.log(command, stdout);
}); ``` will be vulnerable when user input something like pattern = ':</etc/passwd', which causes the content of /etc/passwd to be leaked.

Internally, (Jon Lamendola, Nick Starke, Jacob Waddell) found that the ;, {, and } characters weren't escaped properly either. This allows for full command injection. A malicious user could input 'a;{echo,test,123,234}' to execute echo fully.

Recommendation:

Upgrade to at least version 1.6.1

debug Regular Expression Denial of Service
Open

    "debug": {
      "version": "2.2.0",
      "resolved": "https://registry.npmjs.org/debug/-/debug-2.2.0.tgz",
      "integrity": "sha1-+HBX6ZWxofauaklgZkE3vFbwOdo=",
      "dev": true,
Severity: Minor
Found in package-lock.json by nodesecurity

Regular Expression Denial of Service

Overview:

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Recommendation:

Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.

negotiator Regular Expression Denial of Service
Open

    "negotiator": {
      "version": "0.5.3",
      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.5.3.tgz",
      "integrity": "sha1-Jp1cR2gQ7JLtvntsLygxY4T5p+g=",
      "dev": true
Severity: Minor
Found in package-lock.json by nodesecurity

Regular Expression Denial of Service

Overview:

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa.

The header for "Accept-Language", when parsed by negotiator is vulnerable to Regular Expression Denial of Service via a specially crafted string.

Timeline

  • April 29th 2016 - Initial report to maintainers
  • April 29th 2016 - Confirm receipt from maintainers
  • May 1st 2016 - Fix confirmed
  • May 5th 2016 - 0.6.1 published with fix
  • June 16th 2016 - Advisory published (delay was to coordinate fixes in upstream frameworks, Koa and Express)

Recommendation:

Upgrade to at least version 0.6.1

Express users should update to Express 4.14.0 or greater. If you want to see if you are using a vulnerable call, a quick grep for the acceptsLanguages function call in your application will tell you if you are using this functionality.

minimatch Regular Expression Denial of Service
Open

        "minimatch": {
          "version": "2.0.10",
          "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz",
          "integrity": "sha1-jQh8OcazjAAbl/ynzm0OHoCvusc=",
          "dev": true,
Severity: Minor
Found in package-lock.json by nodesecurity

Regular Expression Denial of Service

Overview:

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation:

Updated to version 3.0.2 or greater

minimatch Regular Expression Denial of Service
Open

        "minimatch": {
          "version": "0.3.0",
          "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz",
          "integrity": "sha1-J12O2qxPG7MyZHIInnlJyDlGmd0=",
          "dev": true,
Severity: Minor
Found in package-lock.json by nodesecurity

Regular Expression Denial of Service

Overview:

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation:

Updated to version 3.0.2 or greater

minimatch Regular Expression Denial of Service
Open

    "minimatch": {
      "version": "0.2.14",
      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-0.2.14.tgz",
      "integrity": "sha1-x054BXT2PG+aCQ6Q775u9TpqdWo=",
      "dev": true,
Severity: Minor
Found in package-lock.json by nodesecurity

Regular Expression Denial of Service

Overview:

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation:

Updated to version 3.0.2 or greater

minimatch Regular Expression Denial of Service
Open

        "minimatch": {
          "version": "2.0.10",
          "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz",
          "integrity": "sha1-jQh8OcazjAAbl/ynzm0OHoCvusc=",
          "dev": true,
Severity: Minor
Found in package-lock.json by nodesecurity

Regular Expression Denial of Service

Overview:

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation:

Updated to version 3.0.2 or greater

minimatch Regular Expression Denial of Service
Open

        "minimatch": {
          "version": "2.0.10",
          "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz",
          "integrity": "sha1-jQh8OcazjAAbl/ynzm0OHoCvusc=",
          "dev": true,
Severity: Minor
Found in package-lock.json by nodesecurity

Regular Expression Denial of Service

Overview:

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation:

Updated to version 3.0.2 or greater

minimatch Regular Expression Denial of Service
Open

        "minimatch": {
          "version": "0.3.0",
          "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz",
          "integrity": "sha1-J12O2qxPG7MyZHIInnlJyDlGmd0=",
          "dev": true,
Severity: Minor
Found in package-lock.json by nodesecurity

Regular Expression Denial of Service

Overview:

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation:

Updated to version 3.0.2 or greater

minimatch Regular Expression Denial of Service
Open

        "minimatch": {
          "version": "0.3.0",
          "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz",
          "integrity": "sha1-J12O2qxPG7MyZHIInnlJyDlGmd0=",
          "dev": true,
Severity: Minor
Found in package-lock.json by nodesecurity

Regular Expression Denial of Service

Overview:

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation:

Updated to version 3.0.2 or greater

There are no issues that match your filters.

Category
Status