Page MenuHomePhabricator
Paste P59005

T354136 - semgrep sast results
ActivePublic
Actions

Authored by mmartorana on Mar 28 2024, 7:22 PM.
Tags
Referenced Files
F43688104: T354136 - semgrep sast results
Mar 28 2024, 7:22 PM
Subscribers
None
components/bin/build
javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-
traversal
Detected possible user input going into a `path.join` or `path.resolve` function. This could
possibly lead to a path traversal vulnerability, where the attacker can access arbitrary
files stored in the file system. Instead, be sure to sanitize or validate user input first.
Details: https://sg.run/OPqk
92┆ const file = path.join(dir, item);
⋮┆----------------------------------------
92┆ const file = path.join(dir, item);
⋮┆----------------------------------------
94┆ const stat = fs.statSync(path.resolve(base, file));
⋮┆----------------------------------------
94┆ const stat = fs.statSync(path.resolve(base, file));
⋮┆----------------------------------------
113┆ const root = path.resolve(base, dir);
⋮┆----------------------------------------
113┆ const root = path.resolve(base, dir);
⋮┆----------------------------------------
129┆ const file = fs.readFileSync(path.resolve(base, name)).toString();
⋮┆----------------------------------------
129┆ const file = fs.readFileSync(path.resolve(base, name)).toString();
⋮┆----------------------------------------
210┆ const fulldir = path.resolve(LIB, dir);
⋮┆----------------------------------------
226┆ fs.writeFileSync(path.resolve(LIB, dir, name.replace(/\.ts$/, '.js')), lines.join('\n') +
'\n');
⋮┆----------------------------------------
328┆ const file = path.join(dir, name);
⋮┆----------------------------------------
328┆ const file = path.join(dir, name);
components/bin/copy
javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-
traversal
Detected possible user input going into a `path.join` or `path.resolve` function. This could
possibly lead to a path traversal vulnerability, where the attacker can access arbitrary
files stored in the file system. Instead, be sure to sanitize or validate user input first.
Details: https://sg.run/OPqk
57┆ const copy = path.resolve(from, name);
⋮┆----------------------------------------
57┆ const copy = path.resolve(from, name);
⋮┆----------------------------------------
58┆ const dest = path.resolve(to, name);
⋮┆----------------------------------------
58┆ const dest = path.resolve(to, name);
components/bin/makeAll
javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-
traversal
Detected possible user input going into a `path.join` or `path.resolve` function. This could
possibly lead to a path traversal vulnerability, where the attacker can access arbitrary
files stored in the file system. Instead, be sure to sanitize or validate user input first.
Details: https://sg.run/OPqk
72┆ const fulldir = path.resolve(dir);
⋮┆----------------------------------------
100┆ const file = path.join(dir, name);
⋮┆----------------------------------------
100┆ const file = path.join(dir, name);
⋮┆----------------------------------------
113┆ const file = path.join(dir, 'build.json');
⋮┆----------------------------------------
133┆ const file = path.join(dir, 'webpack.config.js');
⋮┆----------------------------------------
153┆ const file = path.join(dir, 'copy.json');
components/bin/pack
javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
RegExp() called with a `name` function argument, this might allow an attacker to cause a
Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the
main thread. For this reason, it is recommended to use hardcoded regexes instead. If your
regex is run on user-controlled input, consider performing input validation or use a regex
checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that
the regex does not appear vulnerable to ReDoS.
Details: https://sg.run/gr65
37┆ return new RegExp(name.replace(/([\\.{}[\]()?*^$])/g, '\\$1'), 'g');
⋮┆----------------------------------------
javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-
traversal
Detected possible user input going into a `path.join` or `path.resolve` function. This could
possibly lead to a path traversal vulnerability, where the attacker can access arbitrary
files stored in the file system. Instead, be sure to sanitize or validate user input first.
Details: https://sg.run/OPqk
81┆ const dirRE = fileRegExp(path.resolve(dir));
⋮┆----------------------------------------
86┆ const jsdir = require(path.resolve(dir, 'webpack.config.js')).plugins[0].definitions.__JSDIR__;
⋮┆----------------------------------------
88┆ const libRE = fileRegExp(path.resolve(jsdir, '..', 'components'));
components/webpack.common.js
javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-
traversal
Detected possible user input going into a `path.join` or `path.resolve` function. This could
possibly lead to a path traversal vulnerability, where the attacker can access arbitrary
files stored in the file system. Instead, be sure to sanitize or validate user input first.
Details: https://sg.run/OPqk
48┆ const jsdir = path.resolve(dir, js);
⋮┆----------------------------------------
48┆ const jsdir = path.resolve(dir, js);
⋮┆----------------------------------------
68┆ const jsdir = path.resolve(dir, js);
⋮┆----------------------------------------
68┆ const jsdir = path.resolve(dir, js);
⋮┆----------------------------------------
javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
RegExp() called with a `dir` function argument, this might allow an attacker to cause a
Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the
main thread. For this reason, it is recommended to use hardcoded regexes instead. If your
regex is run on user-controlled input, consider performing input validation or use a regex
checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that
the regex does not appear vulnerable to ReDoS.
Details: https://sg.run/gr65
69┆ const mjRE = new RegExp('^(?:' + quoteRE(jsdir) + '|' + quoteRE(mjdir) + ')' +
quoteRE(path.sep));
⋮┆----------------------------------------
javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
RegExp() called with a `js` function argument, this might allow an attacker to cause a
Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the
main thread. For this reason, it is recommended to use hardcoded regexes instead. If your
regex is run on user-controlled input, consider performing input validation or use a regex
checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that
the regex does not appear vulnerable to ReDoS.
Details: https://sg.run/gr65
69┆ const mjRE = new RegExp('^(?:' + quoteRE(jsdir) + '|' + quoteRE(mjdir) + ')' +
quoteRE(path.sep));
⋮┆----------------------------------------
javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-
traversal
Detected possible user input going into a `path.join` or `path.resolve` function. This could
possibly lead to a path traversal vulnerability, where the attacker can access arbitrary
files stored in the file system. Instead, be sure to sanitize or validate user input first.
Details: https://sg.run/OPqk
75┆ libs = libs.map(lib => path.join(lib.charAt(0) === '.' ? dir : root, lib) + path.sep);
⋮┆----------------------------------------
75┆ libs = libs.map(lib => path.join(lib.charAt(0) === '.' ? dir : root, lib) + path.sep);
⋮┆----------------------------------------
86┆ resource.request.charAt(0) === '.' ? path.resolve(resource.path, resource.request) :
resource.request :
⋮┆----------------------------------------
86┆ resource.request.charAt(0) === '.' ? path.resolve(resource.path, resource.request) :
resource.request :
⋮┆----------------------------------------
javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
RegExp() called with a `dir` function argument, this might allow an attacker to cause a
Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the
main thread. For this reason, it is recommended to use hardcoded regexes instead. If your
regex is run on user-controlled input, consider performing input validation or use a regex
checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that
the regex does not appear vulnerable to ReDoS.
Details: https://sg.run/gr65
135┆ test: new RegExp(dirRE + quoteRE(path.sep) + '.*\\.js$'),
⋮┆----------------------------------------
javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-
traversal
Detected possible user input going into a `path.join` or `path.resolve` function. This could
possibly lead to a path traversal vulnerability, where the attacker can access arbitrary
files stored in the file system. Instead, be sure to sanitize or validate user input first.
Details: https://sg.run/OPqk
158┆ const distDir = dist ? path.resolve(dir, dist) :
⋮┆----------------------------------------
158┆ const distDir = dist ? path.resolve(dir, dist) :
⋮┆----------------------------------------
159┆ path.resolve(path.dirname(js), 'es5', path.dirname(name));
⋮┆----------------------------------------
159┆ path.resolve(path.dirname(js), 'es5', path.dirname(name));
⋮┆----------------------------------------
163┆ entry: path.join(dir, name + '.js'),
⋮┆----------------------------------------
163┆ entry: path.join(dir, name + '.js'),
ts/a11y/explorer/Region.ts
javascript.browser.security.insecure-document-method.insecure-document-method
User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an
anti-pattern that can lead to XSS vulnerabilities
Details: https://sg.run/LwA9
127┆ node.innerHTML = this.CLASS.style.cssText;
ts/a11y/explorer.ts
javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
RegExp() called with a `locale` function argument, this might allow an attacker to cause a
Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the
main thread. For this reason, it is recommended to use hardcoded regexes instead. If your
regex is run on user-controlled input, consider performing input validation or use a regex
checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that
the regex does not appear vulnerable to ReDoS.
Details: https://sg.run/gr65
589┆ 'values': props[prop].map(x => x.replace(RegExp('^' + prop + '_'), '')),
ts/input/asciimath/FindAsciiMath.ts
javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
RegExp() called with a `delims` function argument, this might allow an attacker to cause a
Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the
main thread. For this reason, it is recommended to use hardcoded regexes instead. If your
regex is run on user-controlled input, consider performing input validation or use a regex
checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that
the regex does not appear vulnerable to ReDoS.
Details: https://sg.run/gr65
100┆ this.end[open] = [close, display, new RegExp(quotePattern(close), 'g')];
ts/input/asciimath/mathjax2/legacy/MathJax.js
javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-
loop
Possibility of prototype polluting function detected. By adding or modifying attributes of
an object prototype, it is possible to create attributes that exist on every object, or
replace critical attributes with malicious ones. This can be problematic if the software
depends on existence or non-existence of certain attributes, or uses pre-defined attributes
of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations
might be: freezing the object prototype, using an object without prototypes (via
Object.create(null) ), blocking modifications of attributes that resolve to object
prototype, using Map instead of object.
Details: https://sg.run/w1DB
685┆ {if (file.hasOwnProperty(i)) {type = i.toUpperCase(); file = file[i]}}
⋮┆----------------------------------------
706┆ {if (file.hasOwnProperty(i)) {type = i.toUpperCase(); file = file[i]}}
⋮┆----------------------------------------
726┆ {for (var i in file) {if (file.hasOwnProperty(i)) {file = file[i]}}}
⋮┆----------------------------------------
1639┆ parent = config; config = config[id];
ts/input/tex/FindTeX.ts
javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
RegExp() called with a `end` function argument, this might allow an attacker to cause a
Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the
main thread. For this reason, it is recommended to use hardcoded regexes instead. If your
regex is run on user-controlled input, consider performing input validation or use a regex
checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that
the regex does not appear vulnerable to ReDoS.
Details: https://sg.run/gr65
158┆ return new RegExp((endp || quotePattern(end)) + '|\\\\(?:[a-zA-Z]|.)|[{}]', 'g');
⋮┆----------------------------------------
javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
RegExp() called with a `endp` function argument, this might allow an attacker to cause a
Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the
main thread. For this reason, it is recommended to use hardcoded regexes instead. If your
regex is run on user-controlled input, consider performing input validation or use a regex
checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that
the regex does not appear vulnerable to ReDoS.
Details: https://sg.run/gr65
158┆ return new RegExp((endp || quotePattern(end)) + '|\\\\(?:[a-zA-Z]|.)|[{}]', 'g');
ts/input/tex/base/BaseMethods.ts
javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
RegExp() called with a `parser` function argument, this might allow an attacker to cause a
Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the
main thread. For this reason, it is recommended to use hardcoded regexes instead. If your
regex is run on user-controlled input, consider performing input validation or use a regex
checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that
the regex does not appear vulnerable to ReDoS.
Details: https://sg.run/gr65
1162┆ const end = (env ? new RegExp(`^\\\\end\\s*\\{${env.replace(/\*/, '\\*')}\\}`) : null);
ts/ui/menu/Menu.ts
javascript.lang.security.insecure-object-assign.insecure-object-assign
Depending on the context, user control data in `Object.assign` can cause web response to
include data that it should not have or can lead to a mass assignment vulnerability.
Details: https://sg.run/2R0D
622┆ Object.assign(this.settings, JSON.parse(settings));
ts/util/asyncLoad/node.ts
javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-
traversal
Detected possible user input going into a `path.join` or `path.resolve` function. This could
possibly lead to a path traversal vulnerability, where the attacker can access arbitrary
files stored in the file system. Instead, be sure to sanitize or validate user input first.
Details: https://sg.run/OPqk
34┆ return require(name.charAt(0) === '.' ? path.resolve(root, name) : name);

Event Timeline

mmartorana created this paste.Mar 28 2024, 7:22 PM
mmartorana mentioned this in T354136: Application Security Review Request: MathJax.Mar 29 2024, 5:42 PM
mmartorana changed the visibility from "Custom Policy" to "All Users".Apr 2 2024, 1:53 PM
mmartorana changed the visibility from "All Users" to "Public (No Login Required)".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL