Gemnasium alert for tough-cookie

[jseppi]

see: https://gemnasium.com/github.com/18F/State-TalentMAP/alerts

The tough-cookie module is vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds.

Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is 80kb so the impact of the ReDoS is limited to around 7.3 seconds of blocking.

Affected versions: All versions
Solution: There is no solution for this vulnerability at the moment.
Credit: Cristian-Alexandru Staicu
Sources: https://nodesecurity.io/advisories/525
salesforce/tough-cookie#92

I don't think we're using cookie parsing anywhere so this is probably a false positive and can be closed in Gemnasium. Could @mjoyce91 or @burgwyn please confirm?

[mjoyce91]

Would this only pose a risk if we were using it server side? The only place cookie parsing might take place is with any kind of Local Storage fallback. But that's obviously client-side. And we're not doing a whole lot server-side at the moment besides some basic routes.

[jseppi]

yarn why shows that this tough-cookie is coming in from node-sass and jest, so I'm comfortable saying this does not affect us.

$ yarn why tough-cookie
yarn why v0.27.5
[1/4] Why do we have the module "tough-cookie"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
info Reasons this module exists
   - "node-sass#request" depends on it
   - "jest#jest-cli#jest-environment-jsdom#jsdom" depends on it
info Disk size without dependencies: "248kB"
info Disk size with unique dependencies: "280kB"
info Disk size with transitive dependencies: "280kB"
info Number of shared dependencies: 1
Done in 1.11s.