Groups of consecutive underscores in a specific pattern hang/take a long time to convert #1927
Labels
L0 - security
A security vulnerability within the Marked library is discovered
Comments
|
Looks like this was introduced in |
UziTech
added
the
L0 - security
|
After some testing it looks like #1864 fixes it. @calculuschild maybe we should release v2 with that fix sooner rather than wait for #1872 and others? |
5 tasks
|
I'm not opposed to that. I'm kind of at a dead end with #1872 for now anyway. |
|
This should be fixed in v2.0.0 |
|
Thank you so much for the speedy response!! 🙇♂️ |
This was referenced Feb 8, 2021
Merged
This was referenced Feb 8, 2021
Closed
This was referenced Apr 26, 2021
Closed
Open
Merged
Open
This was referenced May 3, 2021
Closed
Open
|
Hey ! |
|
The fix has breaking changes. If this was backported to v1 those packages that don't update could break. I think it would be better for them to update their dependency then to totally break. |
This was referenced May 15, 2021
Open
1 task
Closed
1 task
Open
1 task
kodiakhq bot
referenced
this issue
in carbon-design-system/carbon-for-ibm-dotcom
Jan 11, 2022
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [marked](https://marked.js.org) ([source](https://togithub.com/markedjs/marked)) | [`^1.2.9` -> `^2.0.0`](https://renovatebot.com/diffs/npm/marked/1.2.9/2.0.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2021-21306](https://togithub.com/markedjs/marked/security/advisories/GHSA-4r62-v4vq-hr96) ### Impact _What kind of vulnerability is it? Who is impacted?_ [Regular expression Denial of Service](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) A Denial of Service attack can affect anyone who runs user generated code through `marked`. ### Patches _Has the problem been patched? What versions should users upgrade to?_ patched in v2.0.0 ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ None. ### References _Are there any links users can visit to find out more?_ [https://github.com/markedjs/marked/issues/1927](https://togithub.com/markedjs/marked/issues/1927) https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS ### For more information If you have any questions or comments about this advisory: * Open an issue in [marked](https://togithub.com/markedjs/marked/issues) --- ### Release Notes <details> <summary>markedjs/marked</summary> ### [`v2.0.0`](https://togithub.com/markedjs/marked/releases/v2.0.0) [Compare Source](https://togithub.com/markedjs/marked/compare/v1.2.9...v2.0.0) ##### Bug Fixes - Join adjacent inlineText tokens ([#​1926](https://togithub.com/markedjs/marked/issues/1926)) ([f848e77](https://togithub.com/markedjs/marked/commit/f848e7703956a6c37871432a7e128f51b1700aa0)) - Total rework of Emphasis/Strong ([#​1864](https://togithub.com/markedjs/marked/issues/1864)) ([7293251](https://togithub.com/markedjs/marked/commit/7293251c438e3ee968970f7609f1a27f9007bccd)) ##### BREAKING CHANGES - `em` and `strong` tokenizers have been merged into one `emStrong` tokenizer. - `code` and `text` tokenizers do not get passed all tokens as a second parameter. - No longer supporting IE 11. IE 11 may still work but we are not committed to making sure it works with every update. We still provide an es5 version in `lib/marked.js` but some pollyfills may be needed for IE 11 in the future. </details> --- ### Configuration 📅 **Schedule**: "" (UTC). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, click this checkbox. --- This PR has been generated by [WhiteSource Renovate](https://renovate.whitesourcesoftware.com). View repository job log [here](https://app.renovatebot.com/dashboard#github/carbon-design-system/carbon-for-ibm-dotcom).
](https://renovatebot.com){kind=link}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Marked version: 1.2.9
Describe the bug
3 or more groups of odd and even-numbered consecutive underscores followed by a character takes a very long time to convert.
Example input:
_______________________________ ____________________ __________________________ aIf you click on the Marked Demo link below, you will see that this takes a long time to convert (approximately 2 minutes).
The input above is:
31 underscores, 20 underscores, 26 underscores, and an
a.Modifying the input in a number of ways changes the conversion time to < 10ms:
acharacter.It seems that the longer the consecutive underscores are in length, the time increasingly gets longer.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The markdown to html conversion should take roughly the same amount of time as it does as when the above example input is modified such in one of the ways describe above (i.e. < 10ms).
The text was updated successfully, but these errors were encountered: