-
Notifications
You must be signed in to change notification settings - Fork 374
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerable Regular Expression #510
Comments
Any movement on this? |
Maybe? #517 |
Fix released in 3.3.5. Please reopen if still an issue. |
Though the regex in question has been updated in unescapeHTML.js it is still present in underscore.string.js and underscore.string.min.js. Hence the 3.3.5 version in npm registry is still vulnerable to the Regular expression Denial of Service (ReDoS) attack. I believe the dist was not recreated after the fix. Need to rebuild underscore.string.js and underscore.string.min.js and release new version to npm. |
under.score package had valnerability: esamattis/underscore.string#510 Therefore, I upgraded the package together with other packages by `yarn upgrade`. There will be tolerable execution since we have 8 days after running `yarn upgrade` and almost upgraded packages were minor updates.
This fixes the following issues - CVE-2018-3750 (deep-extend) - https://nvd.nist.gov/vuln/detail/CVE-2018-3750 - CVE-2018-16469 (merge) - https://nvd.nist.gov/vuln/detail/CVE-2018-16469 - CVE-2019-1010266 (lodash) - https://nvd.nist.gov/vuln/detail/CVE-2019-1010266 - WS-2019-0032 (js-yaml) - nodeca/js-yaml#475 - WS-2019-0063 (js-yaml) - nodeca/js-yaml#480 - WS-2018-0232 (underscore.string) - esamattis/underscore.string#510
This appears to still be an issue. NPM audit is showing a vulnerability for this package even when fully up to date with the latest version. Am I missing something? |
We tried to fix this issue sometime ago. Really not sure what should be done more to solve it. PRs are very much welcome. I'll re-open this issue to get more eyes on it. |
Thanks @esamattis. I have created a pull request for this issue: #525 Appreciate if you can check and, if happy, merge and redeploy to npm to resolve this vulnerability. |
Any update on this? |
The following regular expression used in unescapeHTML is vulnerable to ReDoS:
/\&([^;]+);/g
The slowdown is moderately low: for 50.000 characters around 2 seconds matching time. However, I would still suggest one of the following:
If needed, I can provide an actual example showing the slowdown.
The text was updated successfully, but these errors were encountered: