Skip to content

Instantly share code, notes, and snippets.

@garethr

garethr/snyk-spdx.json

Created June 11, 2021 16:11
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save garethr/d53ddbbfa5d10ab8ab1b5ef72cd8333b to your computer and use it in GitHub Desktop.
Save garethr/d53ddbbfa5d10ab8ab1b5ef72cd8333b to your computer and use it in GitHub Desktop.
Download ZIP
An example output from snyk2spdx
Raw
snyk-spdx.json
{
"id": "SPDXRef-todo-list",
"name": "todo-list",
"specVersion": "SPDX-3.0",
"profile": [
"base",
"vulnerabilities"
],
"dataLicense": "CC0-1.0",
"creator": "Organization: Snyk Ltd",
"documentNamespace": "spdx.org/spdxdocs/todo-list-17f0656c-7207-4056-859d-eb4ee163082f",
"description": "Snyk test result for project todo-list in SPDX SBOM format",
"created": "2021-05-05T17:10:44Z",
"vulnerabilities": [
{
"id": "SNYK-JS-COLORSTRING-1082939",
"name": "SNYK-JS-COLORSTRING-1082939",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[color-string](https://www.npmjs.org/package/color-string) is a Parser and generator for CSS color strings\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `hwb` regular expression in the `cs.get.hwb` function in index.js. The affected regular expression exhibits quadratic worst-case time complexity.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `color-string` to version 1.5.5 or higher.\n## References\n- [GitHub Additional Information](https://github.com/Qix-/color-string/blob/master/index.js#L153)\n- [Github Commit](https://github.com/Qix-/color-string/commit/0789e21284c33d89ebc4ab4ca6f759b9375ac9d3)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-colormin@2.2.2",
"colormin@1.1.2",
"color@0.11.4",
"color-string@0.3.0"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/Qix-/color-string/blob/master/index.js%23L153"
},
{
"category": "ADVISORY",
"locator": "https://github.com/Qix-/color-string/commit/0789e21284c33d89ebc4ab4ca6f759b9375ac9d3"
}
],
"modified": "2021-03-12T15:08:04.894121Z",
"published": "2021-03-12T15:08:05.121569Z"
},
{
"id": "SNYK-JS-GLOBPARENT-1016905",
"name": "SNYK-JS-GLOBPARENT-1016905",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[glob-parent](https://www.npmjs.com/package/glob-parent) is a package that helps extracting the non-magic parent path from a glob string.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The `enclosure` regex used to check for strings ending in enclosure containing path separator.\r\n\r\n### PoC by Yeting Li\r\n```\r\nvar globParent = require(\"glob-parent\")\r\nfunction build_attack(n) {\r\nvar ret = \"{\"\r\nfor (var i = 0; i < n; i++) {\r\nret += \"/\"\r\n}\r\n\r\nreturn ret;\r\n}\r\n\r\nglobParent(build_attack(5000));\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `glob-parent` to version 5.1.2 or higher.\n## References\n- [GitHub PR](https://github.com/gulpjs/glob-parent/pull/36)\n- [GitHub Release](https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"webpack@1.15.0",
"watchpack@0.2.9",
"chokidar@1.7.0",
"glob-parent@2.0.0"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/gulpjs/glob-parent/pull/36"
},
{
"category": "ADVISORY",
"locator": "https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2"
}
],
"modified": "2021-03-07T15:12:57.015710Z",
"published": "2021-01-12T15:00:42Z"
},
{
"id": "SNYK-JS-GLOBPARENT-1016905",
"name": "SNYK-JS-GLOBPARENT-1016905",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[glob-parent](https://www.npmjs.com/package/glob-parent) is a package that helps extracting the non-magic parent path from a glob string.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The `enclosure` regex used to check for strings ending in enclosure containing path separator.\r\n\r\n### PoC by Yeting Li\r\n```\r\nvar globParent = require(\"glob-parent\")\r\nfunction build_attack(n) {\r\nvar ret = \"{\"\r\nfor (var i = 0; i < n; i++) {\r\nret += \"/\"\r\n}\r\n\r\nreturn ret;\r\n}\r\n\r\nglobParent(build_attack(5000));\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `glob-parent` to version 5.1.2 or higher.\n## References\n- [GitHub PR](https://github.com/gulpjs/glob-parent/pull/36)\n- [GitHub Release](https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"webpack@1.15.0",
"watchpack@0.2.9",
"chokidar@1.7.0",
"anymatch@1.3.2",
"micromatch@2.3.11",
"parse-glob@3.0.4",
"glob-base@0.3.0",
"glob-parent@2.0.0"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/gulpjs/glob-parent/pull/36"
},
{
"category": "ADVISORY",
"locator": "https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2"
}
],
"modified": "2021-03-07T15:12:57.015710Z",
"published": "2021-01-12T15:00:42Z"
},
{
"id": "SNYK-JS-ISSVG-1085627",
"name": "SNYK-JS-ISSVG-1085627",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[is-svg](https://www.npmjs.org/package/is-svg) is a Check if a string or buffer is SVG\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.\r\n\r\nYou are only affected if you use this package on a server that accepts SVG as user-input.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `is-svg` to version 4.2.2 or higher.\n## References\n- [GitHub Commit](https://github.com/sindresorhus/is-svg/commit/01f8a087fab8a69c3ac9085fbb16035907ab6a5b)\n- [GitHub Release](https://github.com/sindresorhus/is-svg/releases/tag/v4.2.2)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-svgo@2.1.6",
"is-svg@2.1.0"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Unknown"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Unknown"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P"
}
],
"to": [
"Unknown"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/sindresorhus/is-svg/commit/01f8a087fab8a69c3ac9085fbb16035907ab6a5b"
},
{
"category": "ADVISORY",
"locator": "https://github.com/sindresorhus/is-svg/releases/tag/v4.2.2"
}
],
"modified": "2021-03-14T15:42:51.429133Z",
"published": "2021-03-14T15:42:51Z"
},
{
"id": "SNYK-JS-ISSVG-1243891",
"name": "SNYK-JS-ISSVG-1243891",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[is-svg](https://www.npmjs.org/package/is-svg) is a Check if a string or buffer is SVG\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `removeDtdMarkupDeclarations` and `entityRegex` regular expressions, bypassing the fix for CVE-2021-28092.\r\n\r\n### PoC by Yeting Li\r\n```\r\n//1) 1st ReDoS caused by the two sub-regexes [A-Z]+ and [^>]* in `removeDtdMarkupDeclarations`.\r\nconst isSvg = require('is-svg');\r\nfunction build_attack1(n) {\r\nvar ret = '<!'\r\nfor (var i = 0; i < n; i++) {\r\nret += 'DOCTYPE'\r\n}\r\n\r\nreturn ret+\"\";\r\n}\r\nfor(var i = 1; i <= 50000; i++) {\r\n if (i % 10000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack1(i);\r\n isSvg(attack_str);\r\n\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\r\n }\r\n}\r\n\r\n//2) 2nd ReDoS caused by ? the first sub-regex \\s* in `entityRegex`.\r\nfunction build_attack2(n) {\r\nvar ret = ''\r\nfor (var i = 0; i < n; i++) {\r\nret += ' '\r\n}\r\n\r\nreturn ret+\"\";\r\n}\r\nfor(var i = 1; i <= 50000; i++) {\r\n if (i % 10000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack2(i);\r\n isSvg(attack_str);\r\n\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\r\n }\r\n}\r\n\r\n\r\n//3rd ReDoS caused by the sub-regex \\s+\\S*\\s* in `entityRegex`.\r\nfunction build_attack3(n) {\r\nvar ret = '<!Entity'\r\nfor (var i = 0; i < n; i++) {\r\nret += ' '\r\n}\r\n\r\nreturn ret+\"\";\r\n}\r\nfor(var i = 1; i <= 50000; i++) {\r\n if (i % 10000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack3(i);\r\n isSvg(attack_str);\r\n\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\r\n }\r\n}\r\n\r\n//4th ReDoS caused by the sub-regex \\S*\\s*(?:\"|')[^\"]+ in `entityRegex`.\r\nfunction build_attack4(n) {\r\nvar ret = '<!Entity '\r\nfor (var i = 0; i < n; i++) {\r\nret += '\\''\r\n}\r\n\r\nreturn ret+\"\";\r\n}\r\nfor(var i = 1; i <= 50000; i++) {\r\n if (i % 10000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack4(i);\r\n isSvg(attack_str);\r\n\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `is-svg` to version 4.3.0 or higher.\n## References\n- [GitHub Commit](https://github.com/sindresorhus/is-svg/commit/732fc72779840c45a30817d3fe28e12058592b02)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-svgo@2.1.6",
"is-svg@2.1.0"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:R"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/sindresorhus/is-svg/commit/732fc72779840c45a30817d3fe28e12058592b02"
}
],
"modified": "2021-05-05T15:35:35.960247Z",
"published": "2021-05-05T15:35:35.708412Z"
},
{
"id": "SNYK-JS-JSYAML-173999",
"name": "SNYK-JS-JSYAML-173999",
"summary": "Denial of Service (DoS)",
"details": "## Overview\n[js-yaml](https://www.npmjs.com/package/js-yaml) is a human-friendly data serialization language.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). The parsing of a specially crafted YAML file may exhaust the system resources.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `js-yaml` to version 3.13.0 or higher.\n## References\n- [GitHub Commit](https://github.com/nodeca/js-yaml/commit/a567ef3c6e61eb319f0bfc2671d91061afb01235)\n- [GitHub Issue](https://github.com/nodeca/js-yaml/issues/475)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-svgo@2.1.6",
"svgo@0.7.2",
"js-yaml@3.7.0"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Shawn Rasheed",
"Jens DIetrich"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Shawn Rasheed",
"Jens DIetrich"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.9,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O"
}
],
"to": [
"Shawn Rasheed",
"Jens DIetrich"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/nodeca/js-yaml/commit/a567ef3c6e61eb319f0bfc2671d91061afb01235"
},
{
"category": "ADVISORY",
"locator": "https://github.com/nodeca/js-yaml/issues/475"
}
],
"modified": "2020-06-12T14:36:55.564388Z",
"published": "2019-03-24T10:00:08Z"
},
{
"id": "SNYK-JS-JSYAML-174129",
"name": "SNYK-JS-JSYAML-174129",
"summary": "Arbitrary Code Execution",
"details": "## Overview\n[js-yaml](https://www.npmjs.com/package/js-yaml) is a human-friendly data serialization language.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. When an object with an executable `toString()` property used as a map key, it will execute that function. This happens only for `load()`, which should not be used with untrusted data anyway. `safeLoad()` is not affected because it can't parse functions.\n## Remediation\nUpgrade `js-yaml` to version 3.13.1 or higher.\n## References\n- [GitHub Commit](https://github.com/nodeca/js-yaml/pull/480/commits/e18afbf1edcafb7add2c4c7b22abc8d6ebc2fa61)\n- [GitHub PR](https://github.com/nodeca/js-yaml/pull/480)\n- [NPM Security Advisory](https://www.npmjs.com/advisories/813)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-svgo@2.1.6",
"svgo@0.7.2",
"js-yaml@3.7.0"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Alex Kocharin"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Alex Kocharin"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
94
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 8.1,
"exploitability": null,
"impact": null
}
],
"severity": "High",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"to": [
"Alex Kocharin"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/nodeca/js-yaml/pull/480/commits/e18afbf1edcafb7add2c4c7b22abc8d6ebc2fa61"
},
{
"category": "ADVISORY",
"locator": "https://github.com/nodeca/js-yaml/pull/480"
},
{
"category": "ADVISORY",
"locator": "https://www.npmjs.com/advisories/813"
}
],
"modified": "2020-06-12T14:37:01.431138Z",
"published": "2019-04-07T15:54:43Z"
},
{
"id": "SNYK-JS-MINIMIST-559764",
"name": "SNYK-JS-MINIMIST-559764",
"summary": "Prototype Pollution",
"details": "## Overview\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\nAffected versions of this package are vulnerable to Prototype Pollution. The library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\n\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\n\nThere are two main ways in which the pollution of prototypes occurs:\n\n- Unsafe `Object` recursive merge\n \n- Property definition by path\n \n\n### Unsafe Object recursive merge\n\nThe logic of a vulnerable recursive merge function follows the following high-level model:\n```\nmerge (target, source)\n\n foreach property of source\n\n if property exists and is an object on both the target and the source\n\n merge(target[property], source[property])\n\n else\n\n target[property] = source[property]\n```\n<br> \n\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\n\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\n\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\n\n### Property definition by path\n\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\n\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\n\n## Types of attacks\n\nThere are a few methods by which Prototype Pollution can be manipulated:\n\n| Type |Origin |Short description |\n|--|--|--|\n| **Denial of service (DoS)**|Client |This is the most likely attack. <br>DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`). <br> The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service. <br>**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.<br>**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.<br> **For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\n\n## Affected environments\n\nThe following environments are susceptible to a Prototype Pollution attack:\n\n- Application server\n \n- Web server\n \n\n## How to prevent\n\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\n \n2. Require schema validation of JSON input.\n \n3. Avoid using unsafe recursive merge functions.\n \n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\n \n5. As a best practice use `Map` instead of `Object`.\n\n### For more information on this vulnerability type:\n\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n## References\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"webpack@1.15.0",
"optimist@0.6.1",
"minimist@0.0.10"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Snyk Security Team"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Snyk Security Team"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.6,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"
}
],
"to": [
"Snyk Security Team"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a"
},
{
"category": "ADVISORY",
"locator": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94"
},
{
"category": "ADVISORY",
"locator": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab"
},
{
"category": "ADVISORY",
"locator": "https://snyk.io/blog/prototype-pollution-minimist/"
}
],
"modified": "2020-12-20T09:48:43.878574Z",
"published": "2020-03-11T08:22:19Z"
},
{
"id": "SNYK-JS-NODEFETCH-674311",
"name": "SNYK-JS-NODEFETCH-674311",
"summary": "Denial of Service",
"details": "## Overview\n[node-fetch](https://www.npmjs.com/package/node-fetch) is an A light-weight module that brings window.fetch to node.js\n\nAffected versions of this package are vulnerable to Denial of Service. Node Fetch did not honor the `size` option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.\n## Remediation\nUpgrade `node-fetch` to version 2.6.1, 3.0.0-beta.9 or higher.\n## References\n- [GitHub Advisory](https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"node-fetch@1.6.3"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Unknown"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Unknown"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.9,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:R"
}
],
"to": [
"Unknown"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r"
}
],
"modified": "2020-09-11T14:12:46.019991Z",
"published": "2020-09-11T14:12:46Z"
},
{
"id": "SNYK-JS-NODEFETCH-674311",
"name": "SNYK-JS-NODEFETCH-674311",
"summary": "Denial of Service",
"details": "## Overview\n[node-fetch](https://www.npmjs.com/package/node-fetch) is an A light-weight module that brings window.fetch to node.js\n\nAffected versions of this package are vulnerable to Denial of Service. Node Fetch did not honor the `size` option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.\n## Remediation\nUpgrade `node-fetch` to version 2.6.1, 3.0.0-beta.9 or higher.\n## References\n- [GitHub Advisory](https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"react@15.7.0",
"fbjs@0.8.17",
"isomorphic-fetch@2.2.1",
"node-fetch@1.6.3"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Unknown"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Unknown"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.9,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:R"
}
],
"to": [
"Unknown"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r"
}
],
"modified": "2020-09-11T14:12:46.019991Z",
"published": "2020-09-11T14:12:46Z"
},
{
"id": "SNYK-JS-NODEFETCH-674311",
"name": "SNYK-JS-NODEFETCH-674311",
"summary": "Denial of Service",
"details": "## Overview\n[node-fetch](https://www.npmjs.com/package/node-fetch) is an A light-weight module that brings window.fetch to node.js\n\nAffected versions of this package are vulnerable to Denial of Service. Node Fetch did not honor the `size` option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.\n## Remediation\nUpgrade `node-fetch` to version 2.6.1, 3.0.0-beta.9 or higher.\n## References\n- [GitHub Advisory](https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"react-dom@15.7.0",
"fbjs@0.8.17",
"isomorphic-fetch@2.2.1",
"node-fetch@1.6.3"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Unknown"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Unknown"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.9,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:R"
}
],
"to": [
"Unknown"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r"
}
],
"modified": "2020-09-11T14:12:46.019991Z",
"published": "2020-09-11T14:12:46Z"
},
{
"id": "SNYK-JS-NORMALIZEURL-1296539",
"name": "SNYK-JS-NORMALIZEURL-1296539",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[normalize-url](https://www.npmjs.org/package/normalize-url) is a Normalize a URL\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to exponential performance in `data` URLs.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `normalize-url` to version 6.0.1, 5.3.1, 4.5.1 or higher.\n## References\n- [GitHub Commit](https://github.com/sindresorhus/normalize-url/commit/b1fdb5120b6d27a88400d8800e67ff5a22bd2103)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-normalize-url@3.0.8",
"normalize-url@1.9.1"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Unknown"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Unknown"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 7.5,
"exploitability": null,
"impact": null
}
],
"severity": "High",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"to": [
"Unknown"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/sindresorhus/normalize-url/commit/b1fdb5120b6d27a88400d8800e67ff5a22bd2103"
}
],
"modified": "2021-05-25T08:28:52.760336Z",
"published": "2021-05-25T08:28:53.005502Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"autoprefixer@6.7.7",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-calc@5.3.1",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-colormin@2.2.2",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-convert-values@2.6.1",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-discard-comments@2.0.4",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-discard-duplicates@2.1.0",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-discard-empty@2.1.0",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-discard-overridden@0.1.1",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-discard-unused@2.2.3",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-filter-plugins@2.0.3",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-merge-idents@2.1.7",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-merge-longhand@2.0.2",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-merge-rules@2.1.2",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-minify-font-values@1.0.5",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-minify-gradients@1.0.5",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-minify-params@1.2.2",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-minify-selectors@2.1.1",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-normalize-charset@1.1.1",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-normalize-url@3.0.8",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-ordered-values@2.2.3",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-reduce-idents@2.4.0",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-reduce-initial@1.0.1",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-reduce-transforms@1.0.4",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-svgo@2.1.6",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-unique-selectors@2.0.2",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "SNYK-JS-POSTCSS-1255640",
"name": "SNYK-JS-POSTCSS-1255640",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[postcss](https://www.npmjs.com/package/postcss) is a PostCSS is a tool for transforming styles with JS plugins.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`. The vulnerable regexes are caused mainly by the sub-pattern `\\/\\*\\s*# sourceMappingURL=(.*)`.\r\n\r\n### PoC\r\n```\r\nvar postcss = require(\"postcss\")\r\nfunction build_attack(n) {\r\n var ret = \"a{}\"\r\n for (var i = 0; i < n; i++) {\r\n ret += \"/*# sourceMappingURL=\"\r\n }\r\n return ret + \"!\";\r\n}\r\n\r\n// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')\r\nfor(var i = 1; i <= 500000; i++) {\r\n if (i % 1000 == 0) {\r\n var time = Date.now();\r\n var attack_str = build_attack(i)\r\n try{\r\n postcss.parse(attack_str)\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n catch(e){\r\n var time_cost = Date.now() - time;\r\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\");\r\n }\r\n }\r\n}\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `postcss` to version 8.2.13 or higher.\n## References\n- [GitHub Commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"vueify@9.4.1",
"cssnano@3.10.0",
"postcss-zindex@2.2.0",
"postcss@5.2.18"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Yeting Li"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Yeting Li"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 5.3,
"exploitability": null,
"impact": null
}
],
"severity": "Medium",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"to": [
"Yeting Li"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956"
}
],
"modified": "2021-04-26T16:18:39.859412Z",
"published": "2021-04-26T16:18:39.832707Z"
},
{
"id": "npm:braces:20180219",
"name": "npm:braces:20180219",
"summary": "Regular Expression Denial of Service (ReDoS)",
"details": "## Overview\n[braces](https://www.npmjs.com/package/braces) is a Bash-like brace expansion, implemented in JavaScript.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). It used a regular expression (`^\\{(,+(?:(\\{,+\\})*),*|,*(?:(\\{,+\\})*),+)\\}`) in order to detects empty braces. This can cause an impact of about 10 seconds matching time for data 50K characters long.\r\n\r\n## Disclosure Timeline\r\n* Feb 15th, 2018 - Initial Disclosure to package owner\r\n* Feb 16th, 2018 - Initial Response from package owner\r\n* Feb 18th, 2018 - Fix issued\r\n* Feb 19th, 2018 - Vulnerability published\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `braces` to version 2.3.1 or higher.\n## References\n- [GitHub Commit](https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451)\n",
"relationships": [
{
"affect": {
"to": [
"todo-list@0.1.0",
"webpack@1.15.0",
"watchpack@0.2.9",
"chokidar@1.7.0",
"anymatch@1.3.2",
"micromatch@2.3.11",
"braces@1.8.5"
],
"type": "AFFECTS"
},
"foundBy": {
"to": [
"Jamie Davis"
],
"type": "FOUND_BY"
},
"suppliedBy": {
"to": [
"Jamie Davis"
],
"type": "SUPPLIED_BY"
},
"ratedBy": {
"cwes": [
185,
400
],
"rating": [
{
"method": "CVSS_3",
"score": [
{
"base": 3.7,
"exploitability": null,
"impact": null
}
],
"severity": "Low",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"
}
],
"to": [
"Jamie Davis"
],
"type": "RATED_BY"
}
}
],
"externalReferences": [
{
"category": "ADVISORY",
"locator": "https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451"
}
],
"modified": "2020-06-12T14:36:46.785771Z",
"published": "2018-02-19T16:32:28Z"
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment