mime
Regular Expression Denial of Service Open
"mime": {
"version": "1.3.4",
"resolved": "https://registry.npmjs.org/mime/-/mime-1.3.4.tgz",
"integrity": "sha1-EV+eO2s9rylZmDyzjxSaLUDrXVM="
},
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Regular Expression Denial of Service
Overview:
The mime module is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Recommendation:
Upgrade to version 2.0.3 or greater.
uglify-js
Regular Expression Denial of Service Open
"uglify-js": {
"version": "2.2.5",
"resolved": "https://registry.npmjs.org/uglify-js/-/uglify-js-2.2.5.tgz",
"integrity": "sha1-puAqcNg5eSuXgEiLe4sYTAlcmcc=",
"requires": {
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Regular Expression Denial of Service
Overview:
uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse().
"The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time." [1]
Proof of Concept
var u = require('uglify-js');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");
Results
$ time node test.js 10000
real 0m1.091s
user 0m1.047s
sys 0m0.039s
$ time node test.js 80000
real 0m6.486s
user 0m6.229s
sys 0m0.094s
Recommendation:
Update to version 2.6.0 or later
uglify-js
Incorrect Handling of Non-Boolean Comparisons During Minification Open
"uglify-js": {
"version": "2.2.5",
"resolved": "https://registry.npmjs.org/uglify-js/-/uglify-js-2.2.5.tgz",
"integrity": "sha1-puAqcNg5eSuXgEiLe4sYTAlcmcc=",
"requires": {
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Incorrect Handling of Non-Boolean Comparisons During Minification
Overview:
Tom MacWright discovered that UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification. This bug was demonstrated by Yan to allow potentially malicious code to be hidden within secure code, activated by minification.
Details:
In Boolean algebra, DeMorgan's laws describe the relationships between conjunctions ( && ), disjunctions ( || ) and negations ( ! ). In Javascript form, they state that: !(a && b) === (!a) || (!b) !(a || b) === (!a) && (!b)
The law does not hold true when one of the values is not a boolean however.
Vulnerable versions of UglifyJS do not account for this restriction, and erroneously apply the laws to a statement if it can be reduced in length by it.
Consider this authentication function:
function isTokenValid(user) {
var timeLeft =
!!config && // config object exists
!!user.token && // user object has a token
!user.token.invalidated && // token is not explicitly invalidated
!config.uninitialized && // config is initialized
!config.ignoreTimestamps && // don't ignore timestamps
getTimeLeft(user.token.expiry); // > 0 if expiration is in the future
// The token must not be expired
return timeLeft > 0;
}
function getTimeLeft(expiry) {
return expiry - getSystemTime();
}
When minified with a vulnerable version of UglifyJS, it will produce the following insecure output, where a token will never expire:
( Formatted for readability )
function isTokenValid(user) {
var timeLeft = !( // negation
!config // config object does not exist
|| !user.token // user object does not have a token
|| user.token.invalidated // token is explicitly invalidated
|| config.uninitialized // config isn't initialized
|| config.ignoreTimestamps // ignore timestamps
|| !getTimeLeft(user.token.expiry) // > 0 if expiration is in the future
);
return timeLeft > 0
}
function getTimeLeft(expiry) {
return expiry - getSystemTime()
}
Recommendation:
Upgrade UglifyJS to version >= 2.4.24.