static-module icon indicating copy to clipboard operation
static-module copied to clipboard

Published 20 hours ago verified publisher icon browserify

Problem with IQ Server vulnerability : sonatype-2020-0067

Open turbo-xav opened this issue 5 years ago • 4 comments

Hi,

Here is my problem. I want to install "compodoc" in an internal angular project but one dependencies is blocked by Iq server for this reason :

Sonatype-2020-0067 :
EXPLANATION The acorn package is vulnerable to Regular Expression Denial of Service (ReDoS). The RegExpValidationState.prototype.at and RegExpValidationState.prototype.nextIndex functions in acorn.js, acorn.mjs, and acorn.es.js process user-supplied input without properly validating UTF-16 surrogate pairs. A remote attacker can exploit this behavior by submitting a crafted UTF-16 encoded string which, when parsed by the application, will result in an infinite loop, ultimately leading to a DoS condition. ROOT CAUSE static-module-3.0.4.tgzpackage/dist/acorn.js[5.5.0, 5.7.4) ADVISORIES Third Party:https://www.npmjs.com/advisories/1488

Is there a solution to fix it in futur version of "static module" ?

Best regards

turbo-xav avatar Jun 15 '20 09:06 turbo-xav

Bumping this as it is still an issue my team is facing.

Shadowninja33 avatar May 25 '21 16:05 Shadowninja33

i am having this issue as of today as well.

sonatype-2020-0067: Explanation The acorn package is vulnerable to Regular Expression Denial of Service (ReDoS). The RegExpValidationState.prototype.at and RegExpValidationState.prototype.nextIndex functions in acorn.js, acorn.mjs, and acorn.es.js process user-supplied input without properly validating UTF-16 surrogate pairs. A remote attacker can exploit this behavior by submitting a crafted UTF-16 encoded string which, when parsed by the application, will result in an infinite loop, ultimately leading to a DoS condition.

Root Cause static-module-3.0.4.tgzpackage/bench/input.js[5.5.0, 5.7.4)

Advisories Third Party:https://www.npmjs.com/advisories/1488

kaiynX avatar Jul 21 '21 02:07 kaiynX

Root Cause static-module-3.0.4.tgz package/bench/input.js[5.5.0, 5.7.4)

I'm n'ot sure if I'm reading this right but the bench/input.js file is only used as input for the tests and it is never ever executed. If this file is marked as a "root cause", that is a false positive that you should ignore or flag with your provider.

goto-bus-stop avatar Jul 21 '21 16:07 goto-bus-stop

Regardless of anything, you probably aren't using static-module on untrusted input, so even if it's flagging code that is actually running it's still a false positive that you can ignore and that sonatype should stop reporting.

If you are using static-module (or likely brfs) on untrusted input you have bigger problems than this, because there are intentional arbitrary code execution "vulnerabilities" that are essential to the functioning of this package. It is simply not intended to be used that way. It should only be used at build time on your own (i.e. trusted) code.

goto-bus-stop avatar Jul 21 '21 16:07 goto-bus-stop