Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency path-to-regexp to v8 [security] - autoclosed #1770

Closed

Conversation

backstage-goalie[bot]
Copy link
Contributor

This PR contains the following updates:

Package Type Update Change
path-to-regexp dependencies major ^7.1.0 -> ^8.0.0

path-to-regexp outputs backtracking regular expressions

CVE-2024-45296 / GHSA-9wv6-86v2-598j

More information

Details

Impact

A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b.

Patches

For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

These versions add backtrack protection when a custom regex pattern is not provided:

They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.

Version 7.1.0 can enable strict: true and get an error when the regular expression might be bad.

Version 8.0.0 removes the features that can cause a ReDoS.

Workarounds

All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b to /:a-:b([^-/]+).

If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.

Details

Using /:a-:b will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/. This can be exploited by a path such as /a${'-a'.repeat(8_000)}/a. OWASP has a good example of why this occurs, but the TL;DR is the /a at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the :a-:b on the repeated 8,000 -a.

Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.

References

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

pillarjs/path-to-regexp (path-to-regexp)

v8.0.0: Simpler API

Compare Source

Heads up! This is a fairly large change (again) and I need to apologize in advance. If I foresaw what this version would have ended up being I would not have released version 7. A longer blog post and explanation will be incoming this week, but the pivot has been due to work on Express.js v5 and this will the finalized syntax used in Express moving forward.

Edit: The post is out - https://blakeembrey.com/posts/2024-09-web-redos/

Added

  • Adds key names to wildcards using *name syntax, aligns with : behavior but using an asterisk instead

Changed

  • Removes group suffixes of ?, +, and * - only optional exists moving forward (use wildcards for +, {*foo} for *)
  • Parameter names follow JS identifier rules and allow unicode characters

Added

  • Parameter names can now be quoted, e.g. :"foo-bar"
  • Match accepts an array of values, so the signature is now string | TokenData | Array<string | TokenData>

Removed

  • Removes loose mode
  • Removes regular expression overrides of parameters

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@backstage-goalie backstage-goalie bot added dependencies Pull requests that update a dependency file security labels Oct 25, 2024
@backstage-goalie
Copy link
Contributor Author

backstage-goalie bot commented Oct 25, 2024

Changed Packages

Package Name Package Path Changeset Bump Current Version
@backstage-community/plugin-mend-backend workspaces/mend/plugins/mend-backend patch v0.0.0

@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-path-to-regexp-vulnerability branch 14 times, most recently from 8b5e7c6 to d0c82a6 Compare October 31, 2024 22:12
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-path-to-regexp-vulnerability branch from d0c82a6 to 3173512 Compare November 4, 2024 10:11
@backstage-goalie
Copy link
Contributor Author

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-path-to-regexp-vulnerability branch 4 times, most recently from 0218677 to a2a12d8 Compare November 12, 2024 23:11
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-path-to-regexp-vulnerability branch 4 times, most recently from 712e2a2 to 77c7117 Compare November 17, 2024 00:17
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-path-to-regexp-vulnerability branch 8 times, most recently from 536d22f to 3a121f7 Compare November 18, 2024 20:45
@backstage-service backstage-service force-pushed the renovate/npm-path-to-regexp-vulnerability branch from 3a121f7 to c90be50 Compare November 18, 2024 20:45
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-path-to-regexp-vulnerability branch from c90be50 to 8985304 Compare November 18, 2024 21:08
@backstage-service backstage-service force-pushed the renovate/npm-path-to-regexp-vulnerability branch from 8985304 to 584d77b Compare November 18, 2024 21:09
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-path-to-regexp-vulnerability branch from 584d77b to b2365c6 Compare November 18, 2024 22:08
@backstage-service backstage-service force-pushed the renovate/npm-path-to-regexp-vulnerability branch from b2365c6 to 964ee41 Compare November 18, 2024 22:09
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-path-to-regexp-vulnerability branch from 964ee41 to 9e62596 Compare November 19, 2024 01:36
@backstage-service backstage-service force-pushed the renovate/npm-path-to-regexp-vulnerability branch from 9e62596 to 2cc8d95 Compare November 19, 2024 01:38
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-path-to-regexp-vulnerability branch from 2cc8d95 to 8bb0e82 Compare November 19, 2024 07:09
@backstage-service backstage-service force-pushed the renovate/npm-path-to-regexp-vulnerability branch from 8bb0e82 to b03aea5 Compare November 19, 2024 07:09
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-path-to-regexp-vulnerability branch from b03aea5 to f77f912 Compare November 19, 2024 10:10
@backstage-service backstage-service force-pushed the renovate/npm-path-to-regexp-vulnerability branch from f77f912 to dd42592 Compare November 19, 2024 10:10
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-path-to-regexp-vulnerability branch from dd42592 to 3c9d0a6 Compare November 19, 2024 12:09
@backstage-service backstage-service force-pushed the renovate/npm-path-to-regexp-vulnerability branch from 3c9d0a6 to a0204da Compare November 19, 2024 12:10
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-path-to-regexp-vulnerability branch from a0204da to b8884f4 Compare November 19, 2024 16:13
Signed-off-by: Renovate Bot <bot@renovateapp.com>
@backstage-service backstage-service force-pushed the renovate/npm-path-to-regexp-vulnerability branch from b8884f4 to c72a903 Compare November 19, 2024 16:14
@backstage-goalie backstage-goalie bot changed the title fix(deps): update dependency path-to-regexp to v8 [security] fix(deps): update dependency path-to-regexp to v8 [security] - autoclosed Nov 19, 2024
@backstage-goalie backstage-goalie bot closed this Nov 19, 2024
@backstage-goalie backstage-goalie bot deleted the renovate/npm-path-to-regexp-vulnerability branch November 19, 2024 19:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants