search

browserify / static-module

convert module usage to inline expressions
MIT License
74 stars 23 forks source link

Problem with IQ Server vulnerability : sonatype-2020-0067 #55

Open turbo-xav opened 4 years ago

turbo-xav commented 4 years ago

Hi,

Here is my problem. I want to install "compodoc" in an internal angular project but one dependencies is blocked by Iq server for this reason :

Sonatype-2020-0067 :
EXPLANATION The acorn package is vulnerable to Regular Expression Denial of Service (ReDoS). The RegExpValidationState.prototype.at and RegExpValidationState.prototype.nextIndex functions in acorn.js, acorn.mjs, and acorn.es.js process user-supplied input without properly validating UTF-16 surrogate pairs. A remote attacker can exploit this behavior by submitting a crafted UTF-16 encoded string which, when parsed by the application, will result in an infinite loop, ultimately leading to a DoS condition. ROOT CAUSE static-module-3.0.4.tgzpackage/dist/acorn.js[5.5.0, 5.7.4) ADVISORIES Third Party:https://www.npmjs.com/advisories/1488

Is there a solution to fix it in futur version of "static module" ?

Best regards

Shadowninja33 commented 3 years ago

Bumping this as it is still an issue my team is facing.

kaiynX commented 3 years ago

i am having this issue as of today as well.

sonatype-2020-0067: Explanation The acorn package is vulnerable to Regular Expression Denial of Service (ReDoS). The RegExpValidationState.prototype.at and RegExpValidationState.prototype.nextIndex functions in acorn.js, acorn.mjs, and acorn.es.js process user-supplied input without properly validating UTF-16 surrogate pairs. A remote attacker can exploit this behavior by submitting a crafted UTF-16 encoded string which, when parsed by the application, will result in an infinite loop, ultimately leading to a DoS condition.

Root Cause static-module-3.0.4.tgzpackage/bench/input.js[5.5.0, 5.7.4)

Advisories Third Party:https://www.npmjs.com/advisories/1488

goto-bus-stop commented 3 years ago

Root Cause static-module-3.0.4.tgz package/bench/input.js[5.5.0, 5.7.4)

I'm n'ot sure if I'm reading this right but the bench/input.js file is only used as input for the tests and it is never ever executed. If this file is marked as a "root cause", that is a false positive that you should ignore or flag with your provider.

goto-bus-stop commented 3 years ago

Regardless of anything, you probably aren't using static-module on untrusted input, so even if it's flagging code that is actually running it's still a false positive that you can ignore and that sonatype should stop reporting.

If you are using static-module (or likely brfs) on untrusted input you have bigger problems than this, because there are intentional arbitrary code execution "vulnerabilities" that are essential to the functioning of this package. It is simply not intended to be used that way. It should only be used at build time on your own (i.e. trusted) code.