Skip to content
Permalink
Browse files
Security fix for ReDoS (#3980)
  • Loading branch information
ready-research committed Aug 30, 2021
1 parent 5bc9ea2 commit 5b457116e31db0e88fede6c428e969e87f290929
Showing with 1 addition and 1 deletion.
  1. +1 −1 lib/utils.js
@@ -185,7 +185,7 @@ function isURLSearchParams(val) {
* @returns {String} The String freed of excess whitespace
*/
function trim(str) {
return str.replace(/^\s*/, '').replace(/\s*$/, '');
return str.trim ? str.trim() : str.replace(/^\s+|\s+$/g, '');
}

/**

7 comments on commit 5b45711

@kanatBektursyn

This comment has been minimized.

Copy link

@kanatBektursyn kanatBektursyn replied Sep 2, 2021

What is the usage of self made trim function?

@muditjuneja

This comment has been minimized.

Copy link

@muditjuneja muditjuneja replied Sep 3, 2021

Something related to this : https://app.snyk.io/vuln/SNYK-JS-AXIOS-1579269?

@vargaurav

This comment has been minimized.

Copy link

@vargaurav vargaurav replied Sep 5, 2021

This is getting flagged in snyk.

@tbogard

This comment has been minimized.

Copy link

@tbogard tbogard replied Sep 6, 2021

What is the usage of self made trim function?

Probably an intended custom made trim function with the intention to be faster... but ended in bloating resources...

@catscarlet

This comment has been minimized.

Copy link

@catscarlet catscarlet replied Sep 8, 2021

But, but str.trim() should not only deal with \s but also deal with \uFEFF and \xA0.

The trim Polyfill was:

if (!String.prototype.trim) {
  String.prototype.trim = function () {
    return this.replace(/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g, '');
  };
}

MDN(en) removed this part because of "outdated with WebView Android 37".
The other languages still have this Polyfill part.

See mdn/content#7602

@Teej42

This comment has been minimized.

Copy link

@Teej42 Teej42 replied Sep 9, 2021

It is not clear to me, but was this fix added in v0.21.4 release, or will be added in the next release?

@jasonsaayman

This comment has been minimized.

Copy link
Member

@jasonsaayman jasonsaayman replied Sep 9, 2021

Already added :) I think the custom trim function was used like this incase a browser or version of node did not have native support. I don't think we can drop it just yet due to supporting a pretty large range of browsers. However I will review some of that code when I have a chance and see if it would be possible to get rid of it.

Please sign in to comment.