hash icon indicating copy to clipboard operation
hash copied to clipboard
verified publisher icon hashintel

Migrate JS internal packages to TS

Open leudz opened this issue 3 years ago • 1 comments

🌟 What is the purpose of this PR?

The PR aims to provide support for Typescript. This means having Typescript packages and behaviors.

🔗 Related links

🚫 Blocked by

🔍 What does this change?

  • Allow packages with the extensions "js", "jsx", "ts" and "tsx"

📜 Does this require a change to the docs?

  • The docs for x need updating to explain that y

⚠️ Known issues

🐾 Next steps

🛡 What tests cover this?

  • All tests involving Javascript behaviors

❓ How to test this?

  1. Checkout the branch / view the deployment
  2. Try cargo test
  3. Confirm that all tests pass

leudz avatar May 13 '22 19:05 leudz

Semgrep found 1 detect-eval-with-expression finding:

  • packages/engine/lib/execution/src/runner/javascript/apache-arrow-bundle.ts: L9326

Detected eval(variable), which could allow a malicious actor to run arbitrary code.

⚪️ This finding does not block your pull request.
🙈 From javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression.

Semgrep found 4 node_insecure_random_generator findings:

crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator.

⚪️ This finding does not block your pull request.
🙈 From ajinabraham.njsscan.crypto_node.node_insecure_random_generator.

Semgrep found 2 node_timing_attack findings:

  • packages/engine/lib/execution/src/runner/javascript/apache-arrow-bundle.ts: L2698, L2878

String comparisons using '===', '!==', '!=' and '==' is vulnerable to timing attacks. More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/

⚪️ This finding does not block your pull request.
🙈 From ajinabraham.njsscan.timing_attack_node.node_timing_attack.

Semgrep found 10 prototype-pollution-function findings:

  • packages/engine/lib/execution/src/runner/javascript/apache-arrow-bundle.ts: L14828-14829, L16516, L16850
  • packages/engine/lib/execution/src/runner/javascript/batch.ts: L215
  • packages/engine/lib/execution/src/runner/javascript/hash_stdlib.ts: L5128, L5130
  • packages/engine/lib/execution/src/runner/javascript/hash_util.ts: L41, L49, L111, L116

Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.

⚪️ This finding does not block your pull request.
🙈 From javascript.lang.security.audit.prototype-pollution.prototype-pollution-function.prototype-pollution-function.

semgrep-app[bot] avatar May 13 '22 19:05 semgrep-app[bot]

To revisit as part of this task (internal link)

vilkinsons avatar Nov 15 '22 19:11 vilkinsons