0

I am new to programming and everyone keeps mentioning how it is problem specific but I wanted to know when using npm audit does the denial of service mean its not able to communicate with the git repository?

glob-parent  <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix`
node_modules/chokidar/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/chokidar
    live-server  >=1.2.0
    Depends on vulnerable versions of chokidar
    node_modules/live-server

3 high severity vulnerabilities

To address all issues, run:
  npm audit fix
King_Damo
  • 1
  • 1
  • 1
  • Have you read e.g. https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS, https://sec.okta.com/articles/2020/04/attacking-evil-regex-understanding-regular-expression-denial-service/, ... – jonrsharpe Feb 25 '22 at 21:17
  • The npm package `glob-parent` had a bug in a [regular expression](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions) that would allow an attacker to perform a [denial of service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) that could affect your application. The vulnerability was fixed [with this commit](https://github.com/gulpjs/glob-parent/commit/f9231168b0041fea3f8f954b3cceb56269fc6366). Because the version of `chokidar` you're using relies on a version of `glob-parent` that was vulnerable to this issue, npm warns you. – D M Feb 25 '22 at 21:17
  • The issue has nothing to do with git or your repository. The [GitHub link](https://github.com/advisories/GHSA-ww39-953v-wcq6) in the warning is the notice about the vulnerability in `glob-parent`. – D M Feb 25 '22 at 21:18

1 Answers1

1

What you're seeing is an alert coming from NPM that reports that one of the packages your project is using, glob-parent, had a vulnerability before version 5.1.2. Specifically, someone could theoretically do:

var globParent = require("glob-parent")
function build_attack(n) {
var ret = "{"
for (var i = 0; i < n; i++) {
ret += "/"
}

return ret;
}

globParent(build_attack(5000));

or create some other deliberately malformed string for globParent to parse, which would result in your system hanging due to a regular expression that glob-parent is using.

If you upgrade to a more recent version of glob-parent (which you can do with npm audit fix), you will no longer be vulnerable to this attack

does the denial of service mean its not able to communicate with the git repository?

No, it means that a bad actor could theoretically leverage glob-parent to deny resources to your system (until you killed the process). It doesn't mean that such a thing is actually taking place, just that the old versions of glob-parent were vulnerable to such a thing.

CertainPerformance
  • 356,069
  • 52
  • 309
  • 320