Sign upLogin

hypery2k/tvml-kit-livereload

View on GitHub
Star

Showing 19 of 19 total issues

Function exports has 81 lines of code (exceeds 25 allowed). Consider refactoring.
Open

module.exports = function (grunt) {

  // Load grunt tasks automatically
  require('load-grunt-tasks')(grunt); // eslint-disable-line
Severity: Major
Found in Gruntfile.js - About 3 hrs to fix

minimatch Regular Expression Denial of Service
Open

        "minimatch": {
          "version": "0.4.0",
          "from": "minimatch@>=0.0.0 <1.0.0",
          "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-0.4.0.tgz"
        }
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation:

Updated to version 3.0.2 or greater

debug Regular Expression Denial of Service
Open

            "debug": {
              "version": "0.7.4",
              "from": "debug@0.7.4",
              "resolved": "https://registry.npmjs.org/debug/-/debug-0.7.4.tgz"
            }
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Recommendation:

Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.

debug Regular Expression Denial of Service
Open

    "debug": {
      "version": "2.2.0",
      "from": "debug@2.2.0",
      "resolved": "https://registry.npmjs.org/debug/-/debug-2.2.0.tgz"
    },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Recommendation:

Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.

minimatch Regular Expression Denial of Service
Open

            "minimatch": {
              "version": "0.3.0",
              "from": "minimatch@>=0.3.0 <0.4.0",
              "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz"
            }
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation:

Updated to version 3.0.2 or greater

ws Denial of Service
Open

    "ws": {
      "version": "1.1.1",
      "from": "ws@1.0.1",
      "resolved": "https://registry.npmjs.org/ws/-/ws-1.0.1.tgz"
    },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Denial of Service

Overview:

A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.

Proof of concept:

const WebSocket = require('ws');
const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, function () {
  const payload = 'constructor';  // or ',;constructor'

  const request = [
    'GET / HTTP/1.1',
    'Connection: Upgrade',
    'Sec-WebSocket-Key: test',
    'Sec-WebSocket-Version: 8',
    `Sec-WebSocket-Extensions: ${payload}`,
    'Upgrade: websocket',
    '\r\n'
  ].join('\r\n');

  const socket = net.connect(3000, function () {
    socket.resume();
    socket.write(request);
  });
});

Recommendation:

Upgrade to version 3.3.1 or greater

brace-expansion ReDoS
Open

    "brace-expansion": {
      "version": "1.1.5",
      "from": "brace-expansion@>=1.0.0 <2.0.0",
      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.5.tgz"
    },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

ReDoS

Overview:

brace-expansion is a module to support bash-like brace expansion in JavaScript. For example,{1,2,3,4} would expand to 1 2 3 4. brace expansion versions before 1.1.7 are vulnerable to Regular Expression Denial of Service attacks. A proof of concept is provided below:

var expand = require('brace-expansion');
expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}');

Recommendation:

Upgrade to version 1.1.7 or later.

minimatch Regular Expression Denial of Service
Open

        "minimatch": {
          "version": "0.2.14",
          "from": "minimatch@>=0.2.9 <0.3.0",
          "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-0.2.14.tgz"
        }
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation:

Updated to version 3.0.2 or greater

parsejson Regular Expression Denial of Service
Open

    "parsejson": {
      "version": "0.0.1",
      "from": "parsejson@0.0.1",
      "resolved": "https://registry.npmjs.org/parsejson/-/parsejson-0.0.1.tgz"
    },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.

Recommendation:

Until a fix is available do not use parsejson to parse json. Use JSON.parse() instead if available.

growl Command Injection
Open

    "growl": {
      "version": "1.7.0",
      "from": "growl@>=1.7.0 <1.8.0",
      "resolved": "https://registry.npmjs.org/growl/-/growl-1.7.0.tgz"
    },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Command Injection

Overview:

Growl adds growl notification support to nodejs.

Growl does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.

Recommendation:

Update to version 1.10.2 or greater

minimatch Regular Expression Denial of Service
Open

            "minimatch": {
              "version": "0.3.0",
              "from": "minimatch@>=0.3.0 <0.4.0",
              "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz"
            }
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation:

Updated to version 3.0.2 or greater

Definition for rule 'async-await/space-after-async' was not found
Open

module.exports = function (libPath, fileContents) {
Severity: Minor
Found in lib/app.tmpl.js by eslint

For more information visit Source: http://eslint.org/docs/rules/

Definition for rule 'async-await/space-after-await' was not found
Open

'use strict';
Severity: Minor
Found in lib/livereload.js by eslint

For more information visit Source: http://eslint.org/docs/rules/

Definition for rule 'async-await/space-after-async' was not found
Open

'use strict';
Severity: Minor
Found in Gruntfile.js by eslint

For more information visit Source: http://eslint.org/docs/rules/

Definition for rule 'async-await/space-after-async' was not found
Open

'use strict';
Severity: Minor
Found in lib/livereload.js by eslint

For more information visit Source: http://eslint.org/docs/rules/

Definition for rule 'async-await/space-after-await' was not found
Open

'use strict';
Severity: Minor
Found in index.js by eslint

For more information visit Source: http://eslint.org/docs/rules/

Definition for rule 'async-await/space-after-await' was not found
Open

module.exports = function (libPath, fileContents) {
Severity: Minor
Found in lib/app.tmpl.js by eslint

For more information visit Source: http://eslint.org/docs/rules/

Definition for rule 'async-await/space-after-await' was not found
Open

'use strict';
Severity: Minor
Found in Gruntfile.js by eslint

For more information visit Source: http://eslint.org/docs/rules/

Definition for rule 'async-await/space-after-async' was not found
Open

'use strict';
Severity: Minor
Found in index.js by eslint

For more information visit Source: http://eslint.org/docs/rules/

Severity
Category
Status
Source
Language