New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update request 2.72.x to 2.74.x to fix tough cookie vulnerability. #9

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
2 participants
@m4bwav

m4bwav commented Aug 6, 2016

Resolves the vulnerability found in the old version of request. From Synk scan of an app that relies on stackexchange at https://snyk.io/test/npm/stack-exchange-markdown-retriever :

"ReDoS via long string of semicolons
high severity

Vulnerable module: tough-cookie
Introduced through: stackexchange@0.4.0

Detailed paths and remediation

Introduced through: stack-exchange-markdown-retriever@1.0.2 › stackexchange@0.4.0 › request@2.72.0 › tough-cookie@2.2.2 Remediation: Run snyk wizard to patch tough-cookie@2.2.2.

Overview

tough-cookie package versions 0.9.7 through 2.2.2 are vulnerable to a Regular expression Denial of Service (ReDoS) when long strings of semicolons in the Set-Cookie header, causes the event loop to block for excessive amounts of time.

"The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time." 1"

Update request 2.72.x to 2.74.x to fix tough cookie vulnerability.
"tough-cookie package versions 0.9.7 through 2.2.2 are vulnerable to a Regular expression Denial of Service (ReDoS) when long strings of semicolons in the Set-Cookie header, causes the event loop to block for excessive amounts of time."
@Trott

This comment has been minimized.

Show comment
Hide comment
@Trott

Trott May 29, 2018

Collaborator

request is updated to ^2.87.0 in 1.0.0-1 of this package, which you can get with npm install stackexchange@next. Or you can wait until 1.0.0 is published, which should be soon.

Thanks for the PR and sorry it sat so long!

Collaborator

Trott commented May 29, 2018

request is updated to ^2.87.0 in 1.0.0-1 of this package, which you can get with npm install stackexchange@next. Or you can wait until 1.0.0 is published, which should be soon.

Thanks for the PR and sorry it sat so long!

@Trott Trott closed this May 29, 2018

@m4bwav

This comment has been minimized.

Show comment
Hide comment
@m4bwav

m4bwav May 29, 2018

Its all good!

m4bwav commented May 29, 2018

Its all good!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment