-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue in regex #24
Comments
Care to provide a fix? |
grinish21
added a commit
to grinish21/cli
that referenced
this issue
Aug 14, 2024
chainguards repo fixes the security issue with regex used - whilp/git-urls#24
4 tasks
AlekSi
added a commit
to AlekSi/task
that referenced
this issue
Nov 11, 2024
Switch from https://github.com/whilp/git-urls to https://github.com/chainguard-dev/git-urls. See whilp/git-urls#24 and whilp/git-urls#28. Many scanning tools complain about that.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The regex on line 35. inside urls.go is vulnerable to regex denial of service when a long input is provided inside directory path of the git url. I managed to cause a 7s delay but only because the payload in the url was to long. Here is the PoC:
The text was updated successfully, but these errors were encountered: