search

sass / dart-sass

The reference implementation of Sass, written in Dart.
https://sass-lang.com/dart-sass
MIT License
3.87k stars 350 forks source link

"braces" dependency vulnerable to "Uncontrolled resource consumption" CVE #2243

Closed patrick-laa closed 3 months ago

patrick-laa commented 3 months ago

sass depends on chokidar which depends on braces and as of today (13 May) there's an unpatched CVE https://www.cve.org/CVERecord?id=CVE-2024-4068 meaning that sass is flagged up as problematic by automated scanners such as Snyk.

Just flagging this up - I don't know how likely to be fixed imminently this is, as the initial thread suggests this was first disclosed in September.

ntkme commented 3 months ago

sass npm package is NOT vulnerable.

Please do not blindly trust the nearly useless automated scanners as they only do version checks and never check if an exploitable code path really exists.

Here is why it is not affected:

https://github.com/sass/dart-sass/blob/372f15cc24973314c08c77b9e29b31f9f801faf3/lib/src/io/js.dart#L256

sass sets disableGlobbing: true, in chokidar it will create a WatchHelper with path === watchPath:

https://github.com/paulmillr/chokidar/blob/7c50e25d10a497ce4409f6e52eb630f0d7647b97/index.js#L792-L797

The hasGlob attribute is set to false:

https://github.com/paulmillr/chokidar/blob/7c50e25d10a497ce4409f6e52eb630f0d7647b97/index.js#L210

When hasGlob is false, getDirParts, the only function that uses braces, returns early without calling braces:

https://github.com/paulmillr/chokidar/blob/7c50e25d10a497ce4409f6e52eb630f0d7647b97/index.js#L255-L256

TL;DR: Although braces is installed as a transitive dependency of sass, it's never used by sass, thus sass is not vulnerable.

patrick-laa commented 3 months ago

Thank you for explaining so clearly!