New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
uglify -c changes behavior of mdast code #751
Comments
I fixed this in mdast (syntax-tree/mdast@1a4fc46), but I’m not sure that this was really my error. It was basically a long list of logical AND-operators, followed by an expression which I needed the value of ( |
This looks like a bug. Thanks for the test repo, it helped isolating the problem. The simplest test case appears to be: match = !x &&
(!z || c) &&
(!k || d) &&
the_stuff(); compresses to: match = !(x || z && !c || k && !d || !the_stuff()); which obviously loses the value returned from |
Fix pushed. |
👍 awesome, thank you! |
I also published v2.4.24 to npm, since the issue appears to be pretty serious. |
Requested a CVE assignment in http://seclists.org/oss-sec/2015/q3/351 |
I'm the author of the blog post @reedloden linked above - just wanted to clarify a couple things:
|
Update grunt-contrib-uglify dependency to v0.9.2 in order to fix security issue fixed in uglify-js v2.4.24. mishoo/UglifyJS#751 https://zyan.scripts.mit.edu/blog/backdooring-js/
Update grunt-contrib-uglify dependency to v0.9.2 in order to fix security issue fixed in uglify-js v2.4.24. mishoo/UglifyJS#751 https://zyan.scripts.mit.edu/blog/backdooring-js/
Definitely. Most of the stuff that can bite you is behind |
Based on the recommendations of [bundler-audit]: ``` ruby-advisory-db: 227 advisories Name: uglifier Version: 2.7.0 Advisory: OSVDB-126747 Criticality: Unknown URL: mishoo/UglifyJS#751 Title: uglifier incorrectly handles non-boolean comparisons during minification Solution: upgrade to >= 2.7.2 Unpatched versions found! ``` [bundler-audit]: https://rubygems.org/gems/bundler-audit
Resolves advisory 126747 mishoo/UglifyJS#751
Update grunt-contrib-uglify dependency to v0.9.2 in order to avoid a security issue fixed in uglify-js v2.4.24. mishoo/UglifyJS#751 https://zyan.scripts.mit.edu/blog/backdooring-js/ Closes gh-2556
Update grunt-contrib-uglify dependency to v0.9.2 in order to avoid a security issue fixed in uglify-js v2.4.24. mishoo/UglifyJS#751 https://zyan.scripts.mit.edu/blog/backdooring-js/ (cherry-picked from 835e921) Closes gh-2556
``` Name: uglifier Version: 2.7.1 Advisory: 126747 Criticality: Unknown URL: mishoo/UglifyJS#751 Title: uglifier incorrectly handles non-boolean comparisons during minification Solution: upgrade to >= 2.7.2 ```
Problem: [bundler-audit] returned this security warning: ``` Updating ruby-advisory-db ... From https://github.com/rubysec/ruby-advisory-db * branch master -> FETCH_HEAD Already up-to-date. ruby-advisory-db: 230 advisories Name: uglifier Version: 2.7.1 Advisory: OSVDB-126747 Criticality: Unknown URL: mishoo/UglifyJS#751 Title: uglifier incorrectly handles non-boolean comparisons during minification Solution: upgrade to >= 2.7.2 Unpatched versions found! ``` [bundler-audit]: https://github.com/rubysec/bundler-audit Solution: Upgrade `bundle update uglifier`
Update gem uglifier to >= 2.7.2 to address security alert for affected versions prior to 2.7.2 Sources: lautis/uglifier#86 https://zyan.scripts.mit.edu/blog/backdooring-js/ https://nodesecurity.io/advisories/uglifyjs_incorrectly_handles_non-boolean_comparisons mishoo/UglifyJS#751
Based on the recommendations of [bundler-audit]: ``` ruby-advisory-db: 227 advisories Name: uglifier Version: 2.7.0 Advisory: OSVDB-126747 Criticality: Unknown URL: mishoo/UglifyJS#751 Title: uglifier incorrectly handles non-boolean comparisons during minification Solution: upgrade to >= 2.7.2 Unpatched versions found! ``` [bundler-audit]: https://rubygems.org/gems/bundler-audit
Update gem uglifier to >= 2.7.2 to address security alert for affected versions prior to 2.7.2 Sources: lautis/uglifier#86 https://zyan.scripts.mit.edu/blog/backdooring-js/ https://nodesecurity.io/advisories/uglifyjs_incorrectly_handles_non-boolean_comparisons mishoo/UglifyJS#751
Update gem uglifier to >= 2.7.2 to address security alert for affected versions prior to 2.7.2 Sources: lautis/uglifier#86 https://zyan.scripts.mit.edu/blog/backdooring-js/ https://nodesecurity.io/advisories/uglifyjs_incorrectly_handles_non-boolean_comparisons mishoo/UglifyJS#751
Update gem uglifier to >= 2.7.2 to address security alert for affected versions prior to 2.7.2 Sources: lautis/uglifier#86 https://zyan.scripts.mit.edu/blog/backdooring-js/ https://nodesecurity.io/advisories/uglifyjs_incorrectly_handles_non-boolean_comparisons mishoo/UglifyJS#751
I've created a repo to reproduce this bug: https://github.com/tmcw/mdast-uglify-bug
For the mdast markdown library, the source succeeds when not uglified, and then, passed through
uglify -c
, its behavior changes and it breaks.I'm trying to dig through the source, passed through
uglify -c
and thenuglify -b
, in order to track down the cause. It's quite a doozyThe text was updated successfully, but these errors were encountered: