Cristian-Alexandru STAICU
Cristian-Alexandru STAICU
Hi there, Since this is a high-profile package on npm and many GitHub repositories rely on it for isolation, I was wondering if disclosure of security issues shouldn't be done...
In file lib/index.js the following use of eval is dangerous ``` js var requiredModules = eval('(' + requires[i]).requires; ``` A malicious package may place a require clause that would lead...
In the file server/setConfiguration.js and util/response2json.js possible dangerous eval call sites e.g.: ``` js eval('var _rule = ' + o.rule); ``` An attacker that can access your server can execute...
In file mongoParse.js the following use of eval is dangerous: ``` js var normalizedFunction = eval('(function() {var obj=this; return ' + query + '})'); ``` An attacker may craft a...
Even though the comment says the eval in lib/serialization.js is harmless: ``` js function deserializeFromGUI(data) { var res; data = data.replace(/^.+=[^{]+/, ''); eval('res = ' + data); return res; }...
The following regular expression used in parsing the HTML documents is vulnerable to ReDoS: ```js /(^\s+|\s+$)/g ``` The slowdown is moderately low: for 50.000 characters around 2.5 seconds matching time....
The following regular expression used in parsing the input string is vulnerable to ReDoS: ```js /^\s+|\s+$/g ``` The slowdown is moderately low: for 50.000 characters around 2 seconds matching time....
Hey, When encountering a self-increment operator like ```x++```, NodeProf translates it into five callbacks/hook invocations: ```read```, ```literal```, ```binaryPre```, ```binary```, ```write```. Is that intended? Jalangi invokes additional hooks: ```unaryPres``` and ```unary```...
Hi, I am Cris from Endor Labs Security Research Team and I would like to report a vulnerability in this project. Can you please set up a security policy (in...
Hi, I am Cris from Endor Labs Security Research Team. Can you please create a security policy for this repository to aid with communicating security-sensitive information? Alternatively, you can create...