Last tested: 20 Feb, 2018

istanbul vulnerabilities

Yet another JS code coverage tool that computes statement, line, function and branch coverage with module loader hooks to transparently add coverage when running tests. Supports all JS coverage use cases including unit tests, server side functional tests

View on npm

istanbul (latest)

Published 01 Feb, 2018

Known vulnerabilities0
Vulnerable paths0
Dependencies112

No known vulnerabilities in istanbul

Security wise, istanbul seems to be a safe package to use.
Over time, new vulnerabilities may be disclosed on istanbul and other packages. To easily find, fix and prevent such vulnerabilties, protect your repos with Snyk!

Vulnerable versions of istanbul

Fixed in 0.4.5

Regular Expression Denial of Service (DoS)

high severity

Detailed paths

  • Introduced through: grunt@0.4.4 > minimatch@0.2.14
  • Introduced through: grunt@0.4.4 > glob@3.1.21 > minimatch@0.2.14
  • Introduced through: grunt@0.4.4 > findup-sync@0.1.3 > glob@3.2.11 > minimatch@0.3.0
  • Introduced through: browser-sync@0.4.4 > gaze@0.4.3 > globule@0.1.0 > minimatch@0.2.14
  • Introduced through: browser-sync@0.4.4 > gaze@0.4.3 > globule@0.1.0 > glob@3.1.21 > minimatch@0.2.14
  • Introduced through: eslint@0.4.4 > glob@3.2.11 > minimatch@0.3.0
  • Introduced through: istanbul@0.4.4 > fileset@0.2.1 > minimatch@2.0.10

Overview

minimatch is a minimalistic matching library used for converting glob expressions into JavaScript RegExp objects. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach edge cases that causes them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service.

An attacker can provide a long value to the minimatch function, which nearly matches the pattern being matched. This will cause the regular expression matching to take a long time, all the while occupying the event loop and preventing it from processing other requests and making the server unavailable (a Denial of Service attack).

You can read more about Regular Expression Denial of Service (ReDoS) on our blog.

Remediation

Upgrade minimatch to version 3.0.2 or greater.

References

Fixed in 0.3.21

Regular Expression Denial of Service (DoS)

medium severity

Detailed paths

  • Introduced through: webpack@0.3.20 > uglify-js@1.2.6
  • Introduced through: webpack@0.3.20 > jade-loader@0.1.11 > jade@1.11.0 > transformers@2.1.0 > uglify-js@2.2.5
  • Introduced through: istanbul@0.3.20 > handlebars@3.0.0 > uglify-js@2.3.6

Overview

The parse() function in the uglify-js package prior to version 2.6.0 is vulnerable to regular expression denial of service (ReDoS) attacks when long inputs of certain patterns are processed.

Details

"The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time." 1

Remediation

Upgrade to version 2.6.0 or greater. If a direct dependency update is not possible, use snyk wizard to patch this vulnerability.

References

Content Injection (XSS)

medium severity

Detailed paths

  • Introduced through: istanbul@0.3.20 > handlebars@3.0.0

Overview

When using attributes without quotes in a handlebars template, an attacker can manipulate the input to introduce additional attributes, potentially executing code. This may lead to a Cross-site Scripting (XSS) vulnerability, assuming an attacker can influence the value entered into the template. If the handlebars template is used to render user-generated content, this vulnerability may escalate to a persistent XSS vulnerability.

Details

Example:

Assume handlebars was used to display user comments and avatar, using the following template: <img src={{avatarUrl}}><pre>{{comment}}</pre>

If an attacker spoofed their avatar URL and provided the following value: http://evil.org/avatar.png onload=alert(document.cookie)

The resulting HTML would be the following, triggering the script once the image loads: <img src=http://evil.org/avatar.png onload=alert(document.cookie)><pre>Gotcha!</pre>

References

Improper minification of non-boolean comparisons

high severity

Detailed paths

  • Introduced through: webpack@0.3.20 > uglify-js@1.2.6
  • Introduced through: webpack@0.3.20 > jade-loader@0.1.11 > jade@1.11.0 > transformers@2.1.0 > uglify-js@2.2.5
  • Introduced through: istanbul@0.3.20 > handlebars@3.0.0 > uglify-js@2.3.6

Overview

uglify-js is a JavaScript parser, minifier, compressor and beautifier toolkit.

Tom MacWright discovered that UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification. This bug was demonstrated by Yan to allow potentially malicious code to be hidden within secure code, activated by minification.

Details

In Boolean algebra, DeMorgan's laws describe the relationships between conjunctions (&&), disjunctions (||) and negations (!). In Javascript form, they state that:

 !(a && b) === (!a) || (!b)
 !(a || b) === (!a) && (!b)

The law does not hold true when one of the values is not a boolean however.

Vulnerable versions of UglifyJS do not account for this restriction, and erroneously apply the laws to a statement if it can be reduced in length by it.

Consider this authentication function:

function isTokenValid(user) {
    var timeLeft =
        !!config && // config object exists
        !!user.token && // user object has a token
        !user.token.invalidated && // token is not explicitly invalidated
        !config.uninitialized && // config is initialized
        !config.ignoreTimestamps && // don't ignore timestamps
        getTimeLeft(user.token.expiry); // > 0 if expiration is in the future

    // The token must not be expired
    return timeLeft > 0;
}

function getTimeLeft(expiry) {
  return expiry - getSystemTime();
}

When minified with a vulnerable version of UglifyJS, it will produce the following insecure output, where a token will never expire:

( Formatted for readability )

function isTokenValid(user) {
    var timeLeft = !(                       // negation
        !config                             // config object does not exist
        || !user.token                      // user object does not have a token
        || user.token.invalidated           // token is explicitly invalidated
        || config.uninitialized             // config isn't initialized
        || config.ignoreTimestamps          // ignore timestamps
        || !getTimeLeft(user.token.expiry)  // > 0 if expiration is in the future
    );
    return timeLeft > 0
}

function getTimeLeft(expiry) {
    return expiry - getSystemTime()
}

Remediation

Upgrade UglifyJS to version 2.4.24 or higher.

References