Last tested: 20 Feb, 2018

sinopia vulnerabilities

Private npm repository server

View on npm

sinopia (latest)

Published 18 Jan, 2018

Known vulnerabilities5
Vulnerable paths6
Dependencies234

Regular Expression Denial of Service (DoS)

medium severity

Detailed paths

  • Introduced through: sinopia@1.4.0 > handlebars@2.0.0 > uglify-js@2.3.6

Overview

The parse() function in the uglify-js package prior to version 2.6.0 is vulnerable to regular expression denial of service (ReDoS) attacks when long inputs of certain patterns are processed.

Details

"The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time." 1

Remediation

Upgrade to version 2.6.0 or greater. If a direct dependency update is not possible, use snyk wizard to patch this vulnerability.

References

Content Injection (XSS)

medium severity

Detailed paths

  • Introduced through: sinopia@1.4.0 > handlebars@2.0.0

Overview

When using attributes without quotes in a handlebars template, an attacker can manipulate the input to introduce additional attributes, potentially executing code. This may lead to a Cross-site Scripting (XSS) vulnerability, assuming an attacker can influence the value entered into the template. If the handlebars template is used to render user-generated content, this vulnerability may escalate to a persistent XSS vulnerability.

Details

Example:

Assume handlebars was used to display user comments and avatar, using the following template: <img src={{avatarUrl}}><pre>{{comment}}</pre>

If an attacker spoofed their avatar URL and provided the following value: http://evil.org/avatar.png onload=alert(document.cookie)

The resulting HTML would be the following, triggering the script once the image loads: <img src=http://evil.org/avatar.png onload=alert(document.cookie)><pre>Gotcha!</pre>

References

Regular Expression Denial of Service (DoS)

high severity

Detailed paths

  • Introduced through: sinopia@1.4.0 > minimatch@1.0.0

Overview

minimatch is a minimalistic matching library used for converting glob expressions into JavaScript RegExp objects. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach edge cases that causes them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service.

An attacker can provide a long value to the minimatch function, which nearly matches the pattern being matched. This will cause the regular expression matching to take a long time, all the while occupying the event loop and preventing it from processing other requests and making the server unavailable (a Denial of Service attack).

You can read more about Regular Expression Denial of Service (ReDoS) on our blog.

Remediation

Upgrade minimatch to version 3.0.2 or greater.

References

Regular Expression Denial of Service (ReDoS)

low severity

Detailed paths

  • Introduced through: sinopia@1.4.0 > express@5.0.0-alpha.6 > send@0.15.6 > mime@1.3.4
  • Introduced through: sinopia@1.4.0 > express@5.0.0-alpha.6 > serve-static@1.12.6 > send@0.15.6 > mime@1.3.4

Overview

mime is a comprehensive, compact MIME type module.

Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS). It uses regex the following regex /.*[\.\/\\]/ in its lookup, which can cause a slowdown of 2 seconds for 50k characters.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service.

You can read more about Regular Expression Denial of Service (ReDoS) on our blog.

Remediation

Upgrade mime to versions 1.4.1, 2.0.3 or higher.

References

Improper minification of non-boolean comparisons

high severity

Detailed paths

  • Introduced through: sinopia@1.4.0 > handlebars@2.0.0 > uglify-js@2.3.6

Overview

uglify-js is a JavaScript parser, minifier, compressor and beautifier toolkit.

Tom MacWright discovered that UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification. This bug was demonstrated by Yan to allow potentially malicious code to be hidden within secure code, activated by minification.

Details

In Boolean algebra, DeMorgan's laws describe the relationships between conjunctions (&&), disjunctions (||) and negations (!). In Javascript form, they state that:

 !(a && b) === (!a) || (!b)
 !(a || b) === (!a) && (!b)

The law does not hold true when one of the values is not a boolean however.

Vulnerable versions of UglifyJS do not account for this restriction, and erroneously apply the laws to a statement if it can be reduced in length by it.

Consider this authentication function:

function isTokenValid(user) {
    var timeLeft =
        !!config && // config object exists
        !!user.token && // user object has a token
        !user.token.invalidated && // token is not explicitly invalidated
        !config.uninitialized && // config is initialized
        !config.ignoreTimestamps && // don't ignore timestamps
        getTimeLeft(user.token.expiry); // > 0 if expiration is in the future

    // The token must not be expired
    return timeLeft > 0;
}

function getTimeLeft(expiry) {
  return expiry - getSystemTime();
}

When minified with a vulnerable version of UglifyJS, it will produce the following insecure output, where a token will never expire:

( Formatted for readability )

function isTokenValid(user) {
    var timeLeft = !(                       // negation
        !config                             // config object does not exist
        || !user.token                      // user object does not have a token
        || user.token.invalidated           // token is explicitly invalidated
        || config.uninitialized             // config isn't initialized
        || config.ignoreTimestamps          // ignore timestamps
        || !getTimeLeft(user.token.expiry)  // > 0 if expiration is in the future
    );
    return timeLeft > 0
}

function getTimeLeft(expiry) {
    return expiry - getSystemTime()
}

Remediation

Upgrade UglifyJS to version 2.4.24 or higher.

References

Vulnerable versions of sinopia

Fixed in 1.0.0

Regular Expression Denial of Service (DoS)

high severity

Detailed paths

  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > compression@1.5.2 > accepts@1.2.13 > negotiator@0.5.3
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > serve-index@1.7.3 > accepts@1.2.13 > negotiator@0.5.3

Overview

negotiator is an HTTP content negotiator for Node.js. Versions prior to 0.6.1 are vulnerable to Regular expression Denial of Service (ReDoS) attack when parsing "Accept-Language" http header.

An attacker can provide a long value in the Accept-Language header, which nearly matches the pattern being matched. This will cause the regular expression matching to take a long time, all the while occupying the thread and preventing it from processing other requests. By repeatedly sending multiple such requests, the attacker can make the server unavailable (a Denial of Service attack).

Details

The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time. [1]

Remediation

Upgrade negotiator to to version 0.6.1 or greater.

References

Regular Expression Denial of Service (ReDoS)

low severity

Detailed paths

  • Introduced through: karma@0.13.2 > socket.io@1.3.7 > debug@2.1.0
  • Introduced through: karma@0.13.2 > socket.io@1.3.7 > engine.io@1.5.4 > debug@1.0.3
  • Introduced through: karma@0.13.2 > socket.io@1.3.7 > socket.io-parser@2.2.4 > debug@0.7.4
  • Introduced through: karma@0.13.2 > socket.io@1.3.7 > socket.io-client@1.3.7 > socket.io-parser@2.2.4 > debug@0.7.4
  • Introduced through: karma@0.13.2 > socket.io@1.3.7 > socket.io-client@1.3.7 > debug@0.7.4
  • Introduced through: karma@0.13.2 > socket.io@1.3.7 > socket.io-adapter@0.3.1 > socket.io-parser@2.2.2 > debug@0.7.4
  • Introduced through: karma@0.13.2 > socket.io@1.3.7 > socket.io-adapter@0.3.1 > debug@1.0.2
  • Introduced through: karma@0.13.2 > socket.io@1.3.7 > socket.io-client@1.3.7 > engine.io-client@1.5.4 > debug@1.0.4
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > debug@2.2.0
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > send@0.13.0 > debug@2.2.0
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > body-parser@1.13.3 > debug@2.2.0
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > compression@1.5.2 > debug@2.2.0
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > connect-timeout@1.6.2 > debug@2.2.0
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > debug@2.2.0
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > express-session@1.11.3 > debug@2.2.0
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > finalhandler@0.4.0 > debug@2.2.0
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > morgan@1.6.1 > debug@2.2.0
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > serve-index@1.7.3 > debug@2.2.0
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > serve-static@1.10.3 > send@0.13.2 > debug@2.2.0

Overview

debug is a JavaScript debugging utility modelled after Node.js core's debugging technique..

debug uses printf-style formatting. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks via the the %o formatter (Pretty-print an Object all on a single line). It used a regular expression (/\s*\n\s*/g) in order to strip whitespaces and replace newlines with spaces, in order to join the data into a single line. This can cause a very low impact of about 2 seconds matching time for data 50k characters long.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service.

You can read more about Regular Expression Denial of Service (ReDoS) on our blog.

Remediation

Upgrade debug to version 2.6.9, 3.1.0 or higher.

References

Regular Expression Denial of Service (ReDoS)

low severity

Detailed paths

  • Introduced through: karma@0.13.2 > socket.io@1.3.7 > debug@2.1.0 > ms@0.6.2
  • Introduced through: karma@0.13.2 > socket.io@1.3.7 > engine.io@1.5.4 > debug@1.0.3 > ms@0.6.2
  • Introduced through: karma@0.13.2 > socket.io@1.3.7 > socket.io-client@1.3.7 > engine.io-client@1.5.4 > debug@1.0.4 > ms@0.6.2
  • Introduced through: karma@0.13.2 > socket.io@1.3.7 > socket.io-adapter@0.3.1 > debug@1.0.2 > ms@0.6.2
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > debug@2.2.0 > ms@0.7.1
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > send@0.13.0 > debug@2.2.0 > ms@0.7.1
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > body-parser@1.13.3 > debug@2.2.0 > ms@0.7.1
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > compression@1.5.2 > debug@2.2.0 > ms@0.7.1
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > connect-timeout@1.6.2 > debug@2.2.0 > ms@0.7.1
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > debug@2.2.0 > ms@0.7.1
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > express-session@1.11.3 > debug@2.2.0 > ms@0.7.1
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > finalhandler@0.4.0 > debug@2.2.0 > ms@0.7.1
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > morgan@1.6.1 > debug@2.2.0 > ms@0.7.1
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > serve-index@1.7.3 > debug@2.2.0 > ms@0.7.1
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > serve-static@1.10.3 > send@0.13.2 > debug@2.2.0 > ms@0.7.1
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > send@0.13.0 > ms@0.7.1
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > connect-timeout@1.6.2 > ms@0.7.1
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > serve-static@1.10.3 > send@0.13.2 > ms@0.7.1
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > serve-favicon@2.3.2 > ms@0.7.2

Overview

ms is a tiny millisecond conversion utility.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to an incomplete fix for previously reported vulnerability npm:ms:20151024. The fix limited the length of accepted input string to 10,000 characters, and turned to be insufficient making it possible to block the event loop for 0.3 seconds (on a typical laptop) with a specially crafted string passed to ms() function.

Proof of concept

ms = require('ms');
ms('1'.repeat(9998) + 'Q') // Takes about ~0.3s

Note: Snyk's patch for this vulnerability limits input length to 100 characters. This new limit was deemed to be a breaking change by the author. Based on user feedback, we believe the risk of breakage is very low, while the value to your security is much greater, and therefore opted to still capture this change in a patch for earlier versions as well. Whenever patching security issues, we always suggest to run tests on your code to validate that nothing has been broken.

For more information on Regular Expression Denial of Service (ReDoS) attacks, go to our blog.

Disclosure Timeline

  • Feb 9th, 2017 - Reported the issue to package owner.
  • Feb 11th, 2017 - Issue acknowledged by package owner.
  • April 12th, 2017 - Fix PR opened by Snyk Security Team.
  • May 15th, 2017 - Vulnerability published.
  • May 16th, 2017 - Issue fixed and version 2.0.0 released.
  • May 21th, 2017 - Patches released for versions >=0.7.1, <=1.0.0.

Remediation

Upgrade ms to version 2.0.0 or higher.

References

Regular Expression Denial of Service (DoS)

medium severity

Detailed paths

  • Introduced through: hapi@0.13.2 > semver@1.1.0
  • Introduced through: sinopia@0.13.2 > semver@3.0.1

Overview

The semver module uses regular expressions when parsing a version string. For a carefully crafted input, the time it takes to process these regular expressions is not linear to the length of the input. Since the semver module did not enforce a limit on the version string length, an attacker could provide a long string that would take up a large amount of resources, potentially taking a server down. This issue therefore enables a potential Denial of Service attack. This is a slightly differnt variant of a typical Regular Expression Denial of Service (ReDoS) vulnerability.

Remediation

Update to a version 4.3.2 or greater. From the issue description [2]: "Package version can no longer be more than 256 characters long. This prevents a situation in which parsing the version number can use exponentially more time and memory to parse, leading to a potential denial of service."

References

Regular Expression Denial of Service (ReDoS)

high severity

Detailed paths

  • Introduced through: sinopia@0.13.2 > express@3.21.2 > fresh@0.3.0
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > send@0.13.0 > fresh@0.3.0
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > fresh@0.3.0
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > serve-favicon@2.3.2 > fresh@0.3.0
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > serve-static@1.10.3 > send@0.13.2 > fresh@0.3.0

Overview

fresh is HTTP response freshness testing.

Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks. A Regular Expression (/ *, */) was used for parsing HTTP headers and take about 2 seconds matching time for 50k characters.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service.

You can read more about Regular Expression Denial of Service (ReDoS) on our blog.

Remediation

Upgrade fresh to version 0.5.2 or higher.

References

Prototype Override Protection Bypass

high severity

Detailed paths

  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > qs@4.0.0
  • Introduced through: sinopia@0.13.2 > express@3.21.2 > connect@2.30.2 > body-parser@1.13.3 > qs@4.0.0

Overview

qs is a querystring parser that supports nesting and arrays, with a depth limit.

By default qs protects against attacks that attempt to overwrite an object's existing prototype properties, such as toString(), hasOwnProperty(),etc.

From qs documentation:

By default parameters that would overwrite properties on the object prototype are ignored, if you wish to keep the data from those fields either use plainObjects as mentioned above, or set allowPrototypes to true which will allow user input to overwrite those properties. WARNING It is generally a bad idea to enable this option as it can cause problems when attempting to use the properties that have been overwritten. Always be careful with this option.

Overwriting these properties can impact application logic, potentially allowing attackers to work around security controls, modify data, make the application unstable and more.

In versions of the package affected by this vulnerability, it is possible to circumvent this protection and overwrite prototype properties and functions by prefixing the name of the parameter with [ or ]. e.g. qs.parse("]=toString") will return {toString = true}, as a result, calling toString() on the object will throw an exception.

Example:

qs.parse('toString=foo', { allowPrototypes: false })
// {}

qs.parse("]=toString", { allowPrototypes: false })
// {toString = true} <== prototype overwritten

For more information, you can check out our blog.

Disclosure Timeline

  • February 13th, 2017 - Reported the issue to package owner.
  • February 13th, 2017 - Issue acknowledged by package owner.
  • February 16th, 2017 - Partial fix released in versions 6.0.3, 6.1.1, 6.2.2, 6.3.1.
  • March 6th, 2017 - Final fix released in versions 6.4.0,6.3.2, 6.2.3, 6.1.2 and 6.0.4

Remediation

Upgrade qs to version 6.4.0 or higher. Note: The fix was backported to the following versions 6.3.2, 6.2.3, 6.1.2, 6.0.4.

References

Fixed in 0.12.0

Symlink Arbitrary File Overwrite

high severity

Detailed paths

  • Introduced through: sinopia@0.11.3 > tar.gz@0.1.1 > tar@0.1.20

Overview

The tar module prior to version 2.0.0 does not properly normalize symbolic links pointing to targets outside the extraction root. As a result, packages may hold symbolic links to parent and sibling directories and overwrite those files when the package is extracted.

Remediation

Upgrade to version 2.0.0 or greater. If a direct dependency update is not possible, use snyk wizard to patch this vulnerability.

References