Github Advanced Security Warnings
Hi there,
We have recently purchased an upgraded license for Metronic 9.2 and upgraded our app.
When committing to Github, we are seeing multiple high severity security warnings from our GitHub Advanced Security scanning bot. e.g.
Note - this is one example - there are 170 odd of these. Some we can flag as false positives (using math.random to generate dom id's is probably fine, for example)
A lot are not so easily dismissed. Here is one example:
Website/assets/plugins/custom/tinymce/plugins/codesample/plugin.js:1956
Some regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length n is proportional to nk or even 2n. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service ("DoS") attack by crafting an expensive input string for the regular expression to match."
I assume we'd have non vulnerable version of referenced dependencies, in the latest template, but maybe there is some additional npm stuff we need to do. Or are there some best practices in terms of managing these dependencies, that we're not following?
At the moment, it feels like we have accessible vulnerable java-script in our app.
Replies (4)
Hi Carl,
We will include the fix for the security warning as soon as possible for this week's update.
Thanks
Hi,
Thank you for informing this. We are currently working on Mwtronic update for Metronic 9 Tailwind version and we will check Metronic 8 Bootstrap version packages. We will provide a fix asap within this week.
The warnings comes from the precompiled assets. In your project you can consider recomping the assets by including only used plugins by referring to this guide:
https://devs.keenthemes.com/question/how-to-reduce-cssjs-bundle-size-by-removing-unused-resources-using-gulp
Also you can check package.json and apply security patches for your selected 3rd-party plugins.
Regards,
Sean
Some more info from Github Advanced Security alert
// types
var generic = nested(/<(?:[^<>;=+\-*/%&|^]|<<self>>)*>/.source, 2); // the idea behind the other forbidden characters is to prevent false positives. Same for tupleElement.
var nestedRound = nested(/\((?:[^()]|<<self>>)*\)/.source, 2);
This part of the regular expression may cause exponential backtracking on strings starting with '(' and containing many repetitions of '<>'.
CodeQL
var name = /@?\b[A-Za-z_]\w*\b/.source;
var genericName = replace(/<<0>>(?:\s*<<1>>)?/.source, [name, generic]);
var identifier = replace(/(?!<<0>>)<<1>>(?:\s*\.\s*<<1>>)*/.source, [nonTypeKeywords, genericName]);
Rule
Tool
CodeQL
Rule ID
js/redos
