Showing 19 of 19 total issues
Function exports
has 81 lines of code (exceeds 25 allowed). Consider refactoring. Open
module.exports = function (grunt) {
// Load grunt tasks automatically
require('load-grunt-tasks')(grunt); // eslint-disable-line
- Create a ticketCreate a ticket
minimatch
Regular Expression Denial of Service Open
"minimatch": {
"version": "0.4.0",
"from": "minimatch@>=0.0.0 <1.0.0",
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-0.4.0.tgz"
}
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Regular Expression Denial of Service
Overview:
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
is vulnerable to ReDoS in the pattern
parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,
. The problematic portion of the regex is ((?:\\{2})*)
which matches against \\
.
A proof of concept is as follows: ``` var minimatch = require(“minimatch”);
// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }
var exploit = “[!” + genstr(1000000, “\”) + “A”;
// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```
Recommendation:
Updated to version 3.0.2 or greater
debug
Regular Expression Denial of Service Open
"debug": {
"version": "0.7.4",
"from": "debug@0.7.4",
"resolved": "https://registry.npmjs.org/debug/-/debug-0.7.4.tgz"
}
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Regular Expression Denial of Service
Overview:
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o
formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Recommendation:
Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.
debug
Regular Expression Denial of Service Open
"debug": {
"version": "2.2.0",
"from": "debug@2.2.0",
"resolved": "https://registry.npmjs.org/debug/-/debug-2.2.0.tgz"
},
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Regular Expression Denial of Service
Overview:
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o
formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Recommendation:
Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.
minimatch
Regular Expression Denial of Service Open
"minimatch": {
"version": "0.3.0",
"from": "minimatch@>=0.3.0 <0.4.0",
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz"
}
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Regular Expression Denial of Service
Overview:
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
is vulnerable to ReDoS in the pattern
parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,
. The problematic portion of the regex is ((?:\\{2})*)
which matches against \\
.
A proof of concept is as follows: ``` var minimatch = require(“minimatch”);
// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }
var exploit = “[!” + genstr(1000000, “\”) + “A”;
// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```
Recommendation:
Updated to version 3.0.2 or greater
ws
Denial of Service Open
"ws": {
"version": "1.1.1",
"from": "ws@1.0.1",
"resolved": "https://registry.npmjs.org/ws/-/ws-1.0.1.tgz"
},
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Denial of Service
Overview:
A specially crafted value of the Sec-WebSocket-Extensions
header that used Object.prototype
property names as extension or parameter names could be used to make a ws server crash.
Proof of concept:
const WebSocket = require('ws');
const net = require('net');
const wss = new WebSocket.Server({ port: 3000 }, function () {
const payload = 'constructor'; // or ',;constructor'
const request = [
'GET / HTTP/1.1',
'Connection: Upgrade',
'Sec-WebSocket-Key: test',
'Sec-WebSocket-Version: 8',
`Sec-WebSocket-Extensions: ${payload}`,
'Upgrade: websocket',
'\r\n'
].join('\r\n');
const socket = net.connect(3000, function () {
socket.resume();
socket.write(request);
});
});
Recommendation:
Upgrade to version 3.3.1 or greater
brace-expansion
ReDoS Open
"brace-expansion": {
"version": "1.1.5",
"from": "brace-expansion@>=1.0.0 <2.0.0",
"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.5.tgz"
},
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
ReDoS
Overview:
brace-expansion is a module to support bash-like brace expansion in JavaScript. For example,{1,2,3,4}
would expand to 1 2 3 4
.
brace expansion versions before 1.1.7 are vulnerable to Regular Expression Denial of Service attacks. A proof of concept is provided below:
var expand = require('brace-expansion');
expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}');
Recommendation:
Upgrade to version 1.1.7 or later.
minimatch
Regular Expression Denial of Service Open
"minimatch": {
"version": "0.2.14",
"from": "minimatch@>=0.2.9 <0.3.0",
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-0.2.14.tgz"
}
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Regular Expression Denial of Service
Overview:
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
is vulnerable to ReDoS in the pattern
parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,
. The problematic portion of the regex is ((?:\\{2})*)
which matches against \\
.
A proof of concept is as follows: ``` var minimatch = require(“minimatch”);
// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }
var exploit = “[!” + genstr(1000000, “\”) + “A”;
// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```
Recommendation:
Updated to version 3.0.2 or greater
parsejson
Regular Expression Denial of Service Open
"parsejson": {
"version": "0.0.1",
"from": "parsejson@0.0.1",
"resolved": "https://registry.npmjs.org/parsejson/-/parsejson-0.0.1.tgz"
},
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Regular Expression Denial of Service
Overview:
The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.
Recommendation:
Until a fix is available do not use parsejson to parse json. Use JSON.parse()
instead if available.
growl
Command Injection Open
"growl": {
"version": "1.7.0",
"from": "growl@>=1.7.0 <1.8.0",
"resolved": "https://registry.npmjs.org/growl/-/growl-1.7.0.tgz"
},
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Command Injection
Overview:
Growl adds growl notification support to nodejs.
Growl does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.
Recommendation:
Update to version 1.10.2 or greater
minimatch
Regular Expression Denial of Service Open
"minimatch": {
"version": "0.3.0",
"from": "minimatch@>=0.3.0 <0.4.0",
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz"
}
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Regular Expression Denial of Service
Overview:
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
is vulnerable to ReDoS in the pattern
parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,
. The problematic portion of the regex is ((?:\\{2})*)
which matches against \\
.
A proof of concept is as follows: ``` var minimatch = require(“minimatch”);
// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }
var exploit = “[!” + genstr(1000000, “\”) + “A”;
// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```
Recommendation:
Updated to version 3.0.2 or greater
Definition for rule 'async-await/space-after-async' was not found Open
module.exports = function (libPath, fileContents) {
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
For more information visit Source: http://eslint.org/docs/rules/
Definition for rule 'async-await/space-after-await' was not found Open
'use strict';
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
For more information visit Source: http://eslint.org/docs/rules/
Definition for rule 'async-await/space-after-async' was not found Open
'use strict';
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
For more information visit Source: http://eslint.org/docs/rules/
Definition for rule 'async-await/space-after-async' was not found Open
'use strict';
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
For more information visit Source: http://eslint.org/docs/rules/
Definition for rule 'async-await/space-after-await' was not found Open
'use strict';
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
For more information visit Source: http://eslint.org/docs/rules/
Definition for rule 'async-await/space-after-await' was not found Open
module.exports = function (libPath, fileContents) {
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
For more information visit Source: http://eslint.org/docs/rules/
Definition for rule 'async-await/space-after-await' was not found Open
'use strict';
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
For more information visit Source: http://eslint.org/docs/rules/
Definition for rule 'async-await/space-after-async' was not found Open
'use strict';
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
For more information visit Source: http://eslint.org/docs/rules/