Exponential ReDoS (CVE-2021-23424) #19
Comments
|
Looks like this package is not accepting new merge requests and not in maintenance |
|
@Tjatse @glenjamin @danfuzz Any chance to fix this issue? |
|
I am not a maintainer of this project. |
|
Me neither; sorry! |
|
+1 any chance of fixing it @Tjatse ? |
|
Okay, I published the fixed version to npm. It's called |
This fixes the vulnerability reported in [CVE-2021-23424][CVE], by replacing the ansi-html dependency with a fork of the project that has the [suggested fix][ansi-html-fix] and resolves [webpack-contrib#412][412] [CVE]: https://nvd.nist.gov/vuln/detail/CVE-2021-23424 [ansi-html-fix]: Tjatse/ansi-html#19 [412]: webpack-contrib#412
This fixes the vulnerability reported in [CVE-2021-23424][CVE], by replacing the ansi-html dependency with a fork of the project that has the [suggested fix][ansi-html-fix] and resolves [webpack-contrib#412][412] [CVE]: https://nvd.nist.gov/vuln/detail/CVE-2021-23424 [ansi-html-fix]: Tjatse/ansi-html#19 [412]: webpack-contrib#412
This fixes the vulnerability reported in [CVE-2021-23424][CVE] by replacing the ansi-html dependency with a fork of the project that has the [suggested fix][ansi-html-fix] and resolves [webpack-contrib#412][412] [CVE]: https://nvd.nist.gov/vuln/detail/CVE-2021-23424 [ansi-html-fix]: Tjatse/ansi-html#19 [412]: webpack-contrib#412
This is a fix for the vulnerability reported in [CVE-2021-23424][CVE] by replacing the ansi-html dependency with a fork of the project that has the [suggested fix][ansi-html-fix] and resolves [webpack-contrib#412][412] [CVE]: https://nvd.nist.gov/vuln/detail/CVE-2021-23424 [ansi-html-fix]: Tjatse/ansi-html#19 [412]: webpack-contrib#412
|
ty @mahdyar How to fix, if you're using yarnIf you're using yarn and this package is not a direct dependency of your repo, you can resolve this issue with Selective Dependency Resolutions Install ansi-html-community
Add the resolution to your package.jsonThis instructs yarn to install "resolutions": {
"ansi-html": "https://registry.yarnpkg.com/ansi-html-community/-/ansi-html-community-0.0.8.tgz#69fbc4d6ccbe383f9736934ae34c3f8290f1bf41",
}ConfirmationAfter removing and re-installing node_modules ( ❯ cat node_modules/ansi-html/package.json
{
"name": "ansi-html-community",
"version": "0.0.8",
"description": "An elegant lib that converts the chalked (ANSI) text to HTML. (Community)",
"main": "index.js",
"scripts": {
"test": "./node_modules/.bin/mocha -R spec -t 5000"
},
"bin": {
"ansi-html": "./bin/ansi-html"
},
"repository": {
"type": "git",
"url": "git://github.com/mahdyar/ansi-html-community.git"
},
/* ... truncated ... */ |
Anyone know how to do this with npm-force-resolutions? |
|
@cmacdonnacha you may want to open an issue with npm-force-resolutions. I don't see anything in their docs for a resolution value that is not a version number. |
Thanks. It's actually CRA that uses this and they seem to have gone a but stale with releases so I think I will probably move to Vite. |
@cmacdonnacha |
That worked for me, thanks so much @jdehorty |
This works. However, when I run The project compiles and running this command Anyone facing this issue? Any solutions? |
Thanks @mahdyar . This fix works and npm install works fine. However when I do "npm audit fix", I am seeing the below error. Could you check what's missing? |
My resolutions: "resolutions": { |
|
@ShanUSAC are you trying to use yarn or npm? If npm follow the directions outlined here: https://stackoverflow.com/a/69591894/12649786 Note that you will also need a "scripts": {
"preinstall": "npx npm-force-resolutions",
"start": "react-scripts start",
"build": "react-scripts build",
"test": "react-scripts test --env=jsdom",
"eject": "react-scripts eject"
} |
I tried this with |
|
If you are using yarn and should be enough. |
Do I put that in my root |
|
worked like a charm. Thanks a lot @mahdyar |
|
Whichever package.json is transitively referencing ansi-html. Look at the
generated lockfile.
…On Tue, Nov 16, 2021 at 11:17 AM Kit Peters ***@***.***> wrote:
If you are using yarn and ansi-html is only a *transitive* dependency,
you shouldn't need to install it yourself. Just using
"resolutions": {
"ansi-html": "https://registry.yarnpkg.com/ansi-html-community/-/ansi-html-community-0.0.8.tgz",
}
should be enough.
Do I put that in my root package.json or in frontend/package.json?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#19 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABBH2RYXZ5DD4ISKLCJEYJ3UMKG2PANCNFSM44KKJJ6A>
.
|
Pin to an exact version, 0.0.8, which I have personally verified only contains the desired change, plus package.json metadata changes and updates to README.md. (Pinning means we don't have to trust the independent GitHub user who published the fork, just the content of the patch.) One can do the following commands to download and inspect the contents of the packages themselves, as hosted on the npm package registry... - `npm pack [email protected]` - `npm pack [email protected]` Then extract the tarballs and compare the content. See the following for details of the fork and why it was made: - github[dot]com/Tjatse/ansi-html/issues/19 - github[dot]com/Tjatse/ansi-html/issues/19#issuecomment-913119841
|
For those of you who are using npm: How to fix, if you're using npmStarting with npm 8.3, you can add an option to override your dependency of your dependencies by defining overrides on your root package.json.
|
Posting here as unable to contact maintainer.
Doyensec Vulnerability Advisory
SUMMARY
The npm package ansi-html uses a regular expression which is vulnerable to Regular Expression Denial of Service (ReDoS).
If an attacker provides a malicious string, ansi-html will get stuck processing the input for an extremely long time.
TECHNICAL DESCRIPTION
The vulnerable regular expression is
ansi-html/index.js
Line 62 in 99ec49e
Due to the
(\d+)*part, this regular expression has catastrophic backtracking when given a long string of digits.The behaviour occurs as long as the digits are not followed immediately by an 'm'.
The complexity is exponential: increasing the length of the malicious string by one makes processing take about twice as long.
REPRODUCTION STEPS
In nodejs, run:
Notice that node hangs at 100% CPU. Increasing the number of spaces increases the processing time.
On my laptop that would take three minutes to complete, whereas
would take just over one year to complete.
REMEDIATION
Remove the asterisk from the regular expression on line 62.
=
Doyensec (www.doyensec.com) is an independent security research and development company focused on vulnerability discovery and remediation. We work at the intersection of software development and offensive engineering to help companies craft secure code.
Copyright 2021 by Doyensec LLC. All rights reserved.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting
it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided
that due credit is given. The information in the advisory is believed to be accurate at the time of publishing based on
currently available information, and it is provided as-is, as a free service to the community by Doyensec LLC. There are
no warranties with regard to this information, and Doyensec LLC does not accept any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this information.
The text was updated successfully, but these errors were encountered: