dart-sass icon indicating copy to clipboard operation
dart-sass copied to clipboard
verified publisher icon sass

"braces" dependency vulnerable to "Uncontrolled resource consumption" CVE

Open patrick-laa opened this issue 1 year ago • 2 comments

sass depends on chokidar which depends on braces and as of today (13 May) there's an unpatched CVE https://www.cve.org/CVERecord?id=CVE-2024-4068 meaning that sass is flagged up as problematic by automated scanners such as Snyk.

Just flagging this up - I don't know how likely to be fixed imminently this is, as the initial thread suggests this was first disclosed in September.

patrick-laa avatar May 13 '24 15:05 patrick-laa

sass npm package is NOT vulnerable.

Please do not blindly trust the nearly useless automated scanners as they only do version checks and never check if an exploitable code path really exists.

Here is why it is not affected:

https://github.com/sass/dart-sass/blob/372f15cc24973314c08c77b9e29b31f9f801faf3/lib/src/io/js.dart#L256

sass sets disableGlobbing: true, in chokidar it will create a WatchHelper with path === watchPath:

https://github.com/paulmillr/chokidar/blob/7c50e25d10a497ce4409f6e52eb630f0d7647b97/index.js#L792-L797

The hasGlob attribute is set to false:

https://github.com/paulmillr/chokidar/blob/7c50e25d10a497ce4409f6e52eb630f0d7647b97/index.js#L210

When hasGlob is false, getDirParts, the only function that uses braces, returns early without calling braces:

https://github.com/paulmillr/chokidar/blob/7c50e25d10a497ce4409f6e52eb630f0d7647b97/index.js#L255-L256

TL;DR: Although braces is installed as a transitive dependency of sass, it's never used by sass, thus sass is not vulnerable.

ntkme avatar May 13 '24 16:05 ntkme

Thank you for explaining so clearly!

patrick-laa avatar May 13 '24 16:05 patrick-laa