You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The application was found calling the new Buffer constructor which has been deprecated
since Node 8.
By passing in a non-literal value, an adversary could allocate large amounts of memory.
Other issues also exist with the Buffer constructor:
Older versions would return uninitialized memory, which could contain sensitive information
Unable to easily determine what a Buffer contained if passed a non-literal value
To remediate this issue, use Buffer.alloc or Buffer.from instead to allocate a new Buffer.
Example using Buffer.alloc instead of new Buffer(...):
// Create a new buffer using Buffer.from
const buf = Buffer.from([1, 2, 3, 4]);
// Work with buf
For more information on migrating to Buffer.from()/Buffer.alloc() see:
The application was found calling the new Buffer constructor which has been deprecated
since Node 8.
By passing in a non-literal value, an adversary could allocate large amounts of memory.
Other issues also exist with the Buffer constructor:
Older versions would return uninitialized memory, which could contain sensitive information
Unable to easily determine what a Buffer contained if passed a non-literal value
To remediate this issue, use Buffer.alloc or Buffer.from instead to allocate a new Buffer.
Example using Buffer.alloc instead of new Buffer(...):
// Create a new buffer using Buffer.from
const buf = Buffer.from([1, 2, 3, 4]);
// Work with buf
For more information on migrating to Buffer.from()/Buffer.alloc() see:
The application was found executing string comparisons using one of ===, !==, == or !=
against security sensitive values. String comparisons like this are not constant time, meaning
the
first character found not to match in the two strings will immediately exit the conditional
statement.
This allows an adversary to calculate or observe small timing differences depending on the
strings
passed to this comparison. This potentially allows an adversary the ability to brute force a
string
that will match the expected value by monitoring different character values.
To remediate this issue, use the crypto.timingSafeEqual method when comparing strings.
Example using crypto.timingSafeEqual to safely compare strings:
function constantTimeIsPasswordEqual(userInput) {
// Retrieve the password from a secure data store such as a KMS or Hashicorp's vault.
const password = getPasswordFromSecureDataStore();
// Use crypto timingSafeEqual to ensure the comparison is done in constant time.
return crypto.timingSafeEqual(Buffer.from(userInput, 'utf-8'), Buffer.from(password,
'utf-8'));
}
For more information on constant time comparison see:
// Increment failedRetrievaals counter, update lastFailedRetrievalAt data and send error to client
letincrementFailedRetrievals=1;
if(failedRetrievals){
incrementFailedRetrievals=failedRetrievals+1;
}
constnow=Date.now();
console.log(typeof(incrementfailedRetrievals));
console.log(typeof(now));
console.log(typeof(id));
constexpiresAt=data.Item.expiresAt;
constx={
TableName: process.env.tableName,
// 'Key' defines the key of the item to be retrieved
Key: {
Nullify Code - JavaScript🔵 MEDIUM SeverityCWE-208
Detect possible timing attacks
The application was found executing string comparisons using one of ===, !==, == or !=
against security sensitive values. String comparisons like this are not constant time, meaning
the
first character found not to match in the two strings will immediately exit the conditional
statement.
This allows an adversary to calculate or observe small timing differences depending on the
strings
passed to this comparison. This potentially allows an adversary the ability to brute force a
string
that will match the expected value by monitoring different character values.
To remediate this issue, use the crypto.timingSafeEqual method when comparing strings.
Example using crypto.timingSafeEqual to safely compare strings:
function constantTimeIsPasswordEqual(userInput) {
// Retrieve the password from a secure data store such as a KMS or Hashicorp's vault.
const password = getPasswordFromSecureDataStore();
// Use crypto timingSafeEqual to ensure the comparison is done in constant time.
return crypto.timingSafeEqual(Buffer.from(userInput, 'utf-8'), Buffer.from(password,
'utf-8'));
}
For more information on constant time comparison see:
10 Potential vulnerability sources found in
JavaScriptfiles within this repo⚠️ CRITICAL🔴 HIGH🔵 MEDIUM⚪ LOWNullify Code - JavaScript🔵 MEDIUM SeverityCWE-327Node insecure random generator
crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator.
secret-sharer-server/.webpack/create-billing-portal-session/create-billing-portal-session.js
Line 386 in f6e2b78
Nullify Code - JavaScript🔵 MEDIUM SeverityCWE-327Node insecure random generator
crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator.
secret-sharer-server/.webpack/create-billing-portal-session/create-billing-portal-session.js
Line 1056 in f6e2b78
Nullify Code - JavaScript🔵 MEDIUM SeverityCWE-185Regex dos
Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service.
secret-sharer-server/.webpack/create-billing-portal-session/create-billing-portal-session.js
Lines 3913 to 3914 in f6e2b78
Nullify Code - JavaScript🔵 MEDIUM SeverityCWE-327Node insecure random generator
crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator.
secret-sharer-server/.webpack/create-billing-portal-session/create-billing-portal-session.js
Line 5919 in f6e2b78
Nullify Code - JavaScript🔵 MEDIUM SeverityCWE-770Detect new buffer
The application was found calling the
new Bufferconstructor which has been deprecatedsince Node 8.
By passing in a non-literal value, an adversary could allocate large amounts of memory.
Other issues also exist with the
Bufferconstructor:To remediate this issue, use
Buffer.allocorBuffer.frominstead to allocate a newBuffer.Example using
Buffer.allocinstead ofnew Buffer(...):For more information on migrating to
Buffer.from()/Buffer.alloc()see:secret-sharer-server/.webpack/create-billing-portal-session/create-billing-portal-session.js
Line 6469 in f6e2b78
Nullify Code - JavaScript🔵 MEDIUM SeverityCWE-770Detect new buffer
The application was found calling the
new Bufferconstructor which has been deprecatedsince Node 8.
By passing in a non-literal value, an adversary could allocate large amounts of memory.
Other issues also exist with the
Bufferconstructor:To remediate this issue, use
Buffer.allocorBuffer.frominstead to allocate a newBuffer.Example using
Buffer.allocinstead ofnew Buffer(...):For more information on migrating to
Buffer.from()/Buffer.alloc()see:secret-sharer-server/.webpack/create-billing-portal-session/create-billing-portal-session.js
Line 6487 in f6e2b78
Nullify Code - JavaScript🔵 MEDIUM SeverityCWE-185Regex dos
Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service.
secret-sharer-server/.webpack/create-billing-portal-session/create-billing-portal-session.js
Lines 7081 to 7090 in f6e2b78
Nullify Code - JavaScript🔵 MEDIUM SeverityCWE-327Node insecure random generator
crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator.
secret-sharer-server/.webpack/create-billing-portal-session/create-billing-portal-session.js
Line 7931 in f6e2b78
Nullify Code - JavaScript🔵 MEDIUM SeverityCWE-208Detect possible timing attacks
The application was found executing string comparisons using one of
===,!==,==or!=against security sensitive values. String comparisons like this are not constant time, meaning
the
first character found not to match in the two strings will immediately exit the conditional
statement.
This allows an adversary to calculate or observe small timing differences depending on the
strings
passed to this comparison. This potentially allows an adversary the ability to brute force a
string
that will match the expected value by monitoring different character values.
To remediate this issue, use the
crypto.timingSafeEqualmethod when comparing strings.Example using
crypto.timingSafeEqualto safely compare strings:For more information on constant time comparison see:
secret-sharer-server/get.js
Lines 98 to 112 in f6e2b78
Nullify Code - JavaScript🔵 MEDIUM SeverityCWE-208Detect possible timing attacks
The application was found executing string comparisons using one of
===,!==,==or!=against security sensitive values. String comparisons like this are not constant time, meaning
the
first character found not to match in the two strings will immediately exit the conditional
statement.
This allows an adversary to calculate or observe small timing differences depending on the
strings
passed to this comparison. This potentially allows an adversary the ability to brute force a
string
that will match the expected value by monitoring different character values.
To remediate this issue, use the
crypto.timingSafeEqualmethod when comparing strings.Example using
crypto.timingSafeEqualto safely compare strings:For more information on constant time comparison see:
secret-sharer-server/handler.js
Lines 125 to 139 in f6e2b78
The text was updated successfully, but these errors were encountered: