Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable Regular Expression #501

Closed
cristianstaicu opened this issue Sep 5, 2017 · 9 comments · Fixed by #504 or koajs/static-cache#73
Closed

Vulnerable Regular Expression #501

cristianstaicu opened this issue Sep 5, 2017 · 9 comments · Fixed by #504 or koajs/static-cache#73

Comments

@cristianstaicu
Copy link

The following regular expression used in the "o" formatter is vulnerable to ReDoS:

/\s*\n\s*/

The slowdown is moderately low: for 50.000 characters around 2 seconds matching time. However, I would still suggest one of the following:

  • remove the regex,
  • anchor the regex,
  • limit the number of characters that can be matched by the repetition,
  • limit the input size.

If needed, I can provide an actual example showing the slowdown.
@TooTallNate
Copy link
Contributor

Thanks for the report. Patch welcome! The %o formatter by design needs to remove the newlines but any performance optimizations are ❤️ 👍

@zhuangya zhuangya mentioned this issue Sep 21, 2017
Merged
@fadookie
Copy link

@TooTallNate As far as I can tell no security patch for this issue has yet been released for 3.x, is this in the works? Thanks!

@TooTallNate
Copy link
Contributor

@fadookie Yes correct, thanks for the nudge. v3.1.0 has now been published.

@gazoakley gazoakley mentioned this issue Sep 28, 2017
Merged
@carterbancroft carterbancroft mentioned this issue Sep 29, 2017
Closed
@roderickhsiao roderickhsiao mentioned this issue Oct 17, 2017
Merged
@cainwatson cainwatson mentioned this issue Oct 20, 2017
Closed
@saadtazi saadtazi mentioned this issue Oct 28, 2017
Closed
5 tasks
saadtazi pushed a commit to saadtazi/express that referenced this issue Oct 28, 2017
update debug package version
865c875 
Fixes a security vulnerability: debug-js/debug#501
platinumazure added a commit to eslint/eslint that referenced this issue Dec 18, 2017
@platinumazure
Upgrade: debug@^3.1.0
ae5e710 
This version of debug addresses a minor ReDoS issue. See debug-js/debug#501, debug-js/debug#504 for more information. Looking at the rest of the changelog, this should be a pretty low-risk upgrade.
@platinumazure platinumazure mentioned this issue Dec 18, 2017
Merged
aladdin-add pushed a commit to eslint/eslint that referenced this issue Dec 19, 2017
@platinumazure @aladdin-add
Upgrade: debug@^3.1.0 (#9731)
4ddc131 
This version of debug addresses a minor ReDoS issue. See debug-js/debug#501, debug-js/debug#504 for more information. Looking at the rest of the changelog, this should be a pretty low-risk upgrade.
@gl2748 gl2748 mentioned this issue Jan 23, 2018
Merged
@zazoomauro zazoomauro mentioned this issue Feb 19, 2018
Closed
@jonschlinkert jonschlinkert mentioned this issue Nov 3, 2018
Closed
This was referenced Dec 17, 2018
Closed
Closed
Closed
Closed
@marshyski marshyski mentioned this issue Jan 5, 2019
Closed
This was referenced Jan 15, 2019
Closed
Closed
This was referenced Jan 31, 2019
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced May 6, 2019
Closed
Closed
Closed
Closed
Closed
@marshyski marshyski mentioned this issue May 13, 2019
Closed
This was referenced May 29, 2019
Closed
Closed
Closed
@IsmaelMartinez IsmaelMartinez mentioned this issue Aug 26, 2019
Closed
@Yaniv-git
Copy link

Hello,
My name is Yaniv Nizry I’m an Application Security Researcher from CxSCA group at Checkmarx,
after looking into this issue we noticed that it might not have been resolved.
For more information please contact us at:
ScaAppSec@checkmarx.com

Thanks,
Yaniv

@Qix-
Copy link
Member

Qix- commented Sep 14, 2020

@yaniv-checkmarx Hi. Feel free to submit a report to me at josh.junon@protonmail.com if you think you've found a security issue with debug. Please be sure to specify exactly which versions and/or version ranges you think the vulnerability pertains to.

Thanks.

@Yaniv-git
Copy link

@Qix- Hi, I sent you on September 14th the email, don't know if you got it.
Are there any updates?

@Qix-
Copy link
Member

Qix- commented Oct 1, 2020

Hi @yaniv-checkmarx, I've been focused on other things the last few weeks. Apologies. I'll take a look within the next week to see if I can validate.

@Yaniv-git
Copy link

@Qix- pinging you on this issue :)

@Qix-
Copy link
Member

Qix- commented Nov 19, 2020

Confirmed, regressed in 6ab9525c9841b656d996e521cf86192d5647483a a long while ago.

Will push a fix, thank you for the report @yaniv-checkmarx @Eden-checkmarx. Apologies for the delay until now.

@ambaumann ambaumann mentioned this issue Jan 9, 2021
Open
@awshole awshole mentioned this issue Sep 10, 2021
Open
@Robthreefold Robthreefold mentioned this issue May 5, 2022
Closed
@github-actions github-actions bot mentioned this issue May 11, 2022
Closed
This was referenced May 6, 2022
Open
Open
Open
This was referenced May 16, 2022
Open
Open
@github-actions github-actions bot mentioned this issue Aug 1, 2022
Open
This was referenced Mar 7, 2023
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: remove ReDoS regexp
Update package.json bump debug and mz versions
5 participants
@TooTallNate @fadookie @Qix- @cristianstaicu @Yaniv-git