Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ReDoS in SCSS processor #2908

Closed
dvasquez-7 opened this issue May 20, 2021 · 2 comments
Closed

ReDoS in SCSS processor #2908

dvasquez-7 opened this issue May 20, 2021 · 2 comments

Comments

@dvasquez-7
Copy link

Hello,

I'm a security researcher at Sonatype, and I discovered a potential vulnerability in this project. Do you have a preferred way for me to share the details privately, or do you want me to just show you what I've got on this GitHub issue?
@RunDevelopment
Copy link
Member

Thank you for asking before sharing the vulnerability @dvasquez-7.

Please message me at my private email address and then we can discuss the issue there.

@RunDevelopment
Copy link
Member

As discussed in the email, the issue found was a case of quadratic runtime caused by the pattern being moved across the string. This type of super-linear worst-case is

  1. Hard to fix. I believe it to impossible for most regexes.
  2. Somewhat acceptable. Quadratic runtime typically takes 10k characters of text to reach 1 second.

I'll close this issue now.

If there are any questions/suggestions/objects, then I'll gladly answer/respond to them either in this comment thread or my private email linked above and in my GitHub profile.

@rogov-k rogov-k mentioned this issue Jun 9, 2022
Closed
@ken-duck ken-duck mentioned this issue Aug 23, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@RunDevelopment @dvasquez-7