Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace ansi-html and fix the ReDoS vulnerability #3798

Closed
wants to merge 1 commit into from
Closed

Replace ansi-html and fix the ReDoS vulnerability #3798

wants to merge 1 commit into from

Conversation

carlobeltrame
Copy link
Contributor

@carlobeltrame carlobeltrame commented Sep 5, 2021
edited
Loading

  • This is a bugfix
  • This is a feature
  • This is a code refactor
  • This is a test update
  • This is a docs update
  • This is a metadata update

For Bugs and Features; did you add new tests?

I moved and simplified the code from an unmaintained and vulnerable dependency to this project and fixed a ReDoS vulnerability, as suggested by @alexander-akait. I did not move the tests from that project - let me know if I should do that.

Motivation / Use-Case

Fixes #3576
As suggested by @alexander-akait in #3576 (comment)

Breaking Changes

None

Additional Info

If the Apache license and altogether slightly awkward position of this code in webpack-dev-server doesn't seem right, an alternative would be to use the new ansi-html-community package, which includes the CVE fix and promises to be better maintained. I'd be happy to create a PR for that as well. Let me know what you think.

@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Sep 5, 2021
edited
Loading

CLA Signed

The committers are authorized under a signed CLA.

@carlobeltrame carlobeltrame mentioned this pull request Sep 5, 2021
Closed
2 tasks
@YipingRuan
Copy link

Well done..thank you.!
Maybe fix the commit message and we are all saved?

refactor : Remove ansi-html dependency ?

@carlobeltrame
Copy link
Contributor Author

Oh, right, semantic commit messages. Done.

snitin315
snitin315 reviewed Sep 6, 2021
View reviewed changes
package-lock.json Outdated
@@ -1,17939 +1,8 @@
{
"name": "webpack-dev-server",
"version": "4.1.0",
"lockfileVersion": 2,
"lockfileVersion": 1,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We use "lockfileVersion": 2, it would be nice if you can commit package-lock.json with npm@7, to avoid large diffs.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Of course, my bad. Done.

client-src/modules/ansi-html/LICENSE
@@ -0,0 +1,202 @@
Apache License
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We use MIT 😕 , would it be a problem?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, ansi-html was published under Apache 2.0. I cannot simply re-license code that isn't mine. Apache 2.0 is more restrictive than MIT, but it doesn't stop us from copying and adapting code, as long as the license is preserved.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can't accept this, sorry

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WE need rewrite code in this case on our solution

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In that case it might be far easier to just change the dependency from ansi-html to ansi-html-community. Since the original author of ansi-html is not reacting, someone else created a new npm package with the same code plus the fix.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, we can do it too

carlobeltrame
carlobeltrame commented Sep 6, 2021
View reviewed changes
client-src/modules/ansi-html/index.js
@@ -0,0 +1,122 @@
/**
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if modules is the correct directory for this, I see that webpack builds some separate bundles based on subdirectories of modules. Let me know if there is a better suited location.

@carlobeltrame carlobeltrame mentioned this pull request Sep 6, 2021
Merged
6 tasks
@carlobeltrame
Copy link
Contributor Author

I have created a new PR #3801 which does not copy and adapt the code of ansi-html, but rather uses a fork of ansi-html that should be better maintained in the future.
Closing this PR in favor of #3801.

@fabienmoyon fabienmoyon mentioned this pull request Sep 8, 2021
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@snitin315 snitin315 snitin315 left review comments

@alexander-akait alexander-akait Awaiting requested review from alexander-akait alexander-akait is a code owner

@anshumanv anshumanv Awaiting requested review from anshumanv anshumanv is a code owner

@hiroppy hiroppy Awaiting requested review from hiroppy hiroppy is a code owner

@knagaitsev knagaitsev Awaiting requested review from knagaitsev

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ReDoS Vulnerability
4 participants
@carlobeltrame @YipingRuan @alexander-akait @snitin315