-
-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I think the regexps are busted #32
Comments
Also cc @mrmlnc in case you know. |
interesting. but not sure I understand fully. could you make a test case? |
I think my problem in understanding is that we have test cases which are the correct behavior, but I think it's only a side effect of this (potential) mistake 😬 changing the regexp makes them fail |
this is function that gets glob's parent path which is |
Well, the parent in |
Ain't backslash escaped here? |
I think that's the escape sequence? From the README:
|
@phated If applying your suggestion makes the test, which indicates the correct behavior, fail - then what are you chasing down? I see what you’re saying relative to the comment that’s there, but maybe it’s the comment that’s wrong? In other words, perhaps this is deliberately meant to apply to more situations than just the ones the comment refers to. |
@es128 so, I'm wondering if more logic needs to changed to correct this (if it needs to be corrected) and keep the tests passing. I'm specifically hunting this because of the snyk vuln that was published. They sent me a new regexp but it fails our test suite, which caused me to jump down the rabbit hole to investigate each of the regexp behaviors in this library. |
This is surprising to me. I think I fixed it without breaking the test suite. (See #34.) I'm curious what the regex they sent you was. |
So, everyone may already be clear on this first part, but just in case: The regexp has a no-doubt accidental no-op in the middle (see #34 (comment)). Once that somewhat verbose way of writing "anything at all, even nothing" is removed from the regular expression, it's a little easier to understand. The regular expression matches an opening So this ensures that So the regexp really does nothing other than make sure that a path that ends with a Normally, this isn't very significant. But it has an effect when the opening brace is escaped because of the way Is this a bug? If the Then there's the whole "what should it do with a / inside of [ ] or { }". Same for To me, this seems like the old story of using a regular expression where a parser is needed. (And even in that case, I'm not sure this will work.) If it were up to me (and of course, it's not) I would land #34 and publish a patch fix so people won't get caught by a ReDoS attack if they are using this in a web server or something like that, then publish a breaking change that gets rid of the enclosures magic, or at least reduces/simplifies it greatly. |
You touched on it a bit. The regexp isn't supposed to match Matching |
So, if I'm understanding correctly, the expected result for Is that right? |
I believe that's the correct interpretation, because |
This change fixes the regular expression denial of service vulnerability. This also fixes some incorrect tests that concealed a bug. Fixes: gulpjs#32 Refs: https://app.snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
OK, cool, I've updated the PR now to fix the reg exp so that it does not have a ReDoS and now properly checks for a |
This change fixes a regular expression denial of service vulnerability. Fixes: gulpjs#32 Refs: https://app.snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
This change fixes a regular expression denial of service vulnerability. Refs: gulpjs#32 Refs: https://app.snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
any idea about the timeframe when these pull requests will be accepted and a new version is released? |
This change fixes a regular expression denial of service vulnerability. Refs: #32 Refs: https://app.snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
This change fixes the regular expression denial of service vulnerability. This also fixes some incorrect tests that concealed a bug. Fixes: gulpjs#32 Refs: https://app.snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
This change fixes the regular expression denial of service vulnerability. This also fixes some incorrect tests that concealed a bug. Fixes: gulpjs#32 Refs: https://app.snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
I was investigating https://github.com/gulpjs/glob-parent/blob/main/index.js#L26-L29 in relation to the test suite and I think the pattern is completely wrong.
For example:
'path/\\[bar]'
is matched by that pattern, but the "enclosure" ([bar]
) doesn't contain any path separator.My gut feeling is that the
[\/]*
pattern is supposed to be[\/]+
so that it matches only if there's one or more/
inside the enclosure, instead of 0 or more. But I have no idea... maybe @paulmillr or @es128 have an idea 🤞The text was updated successfully, but these errors were encountered: