Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security fix for ReDoS #3980

Merged
merged 1 commit into from Aug 30, 2021
Merged

Security fix for ReDoS #3980

merged 1 commit into from Aug 30, 2021

Conversation

@ready-research
Copy link
Contributor

@ready-research ready-research commented Aug 26, 2021

Fixes #3979

Security fix for ReDoS vulnerability.

https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/String/Trim

Reported in https://www.huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/

Before fix: Result
time_cost: 2968
After fix: Result
time_cost: 6

@jasonsaayman
Copy link
Member

@jasonsaayman jasonsaayman commented Aug 30, 2021

@ready-research thanks for the fix :)

Loading

@jasonsaayman jasonsaayman merged commit 5b45711 into axios:master Aug 30, 2021
3 checks passed
Loading
@ready-research
Copy link
Contributor Author

@ready-research ready-research commented Aug 30, 2021

@jasonsaayman Thank you for the quick response. Can you please confirm the same in https://www.huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/
By validating and confirming the fix.

Loading

@ready-research
Copy link
Contributor Author

@ready-research ready-research commented Aug 30, 2021

@zidingz Can you please provide access to @jasonsaayman and guide him to validate and confirm the fix.
Thank you

Loading

@ImRodry
Copy link
Contributor

@ImRodry ImRodry commented Sep 1, 2021

Could a release be published with this fix now that it has been merged?

Loading

@hreiner
Copy link

@hreiner hreiner commented Sep 2, 2021

Same as ImRodry coud a release be published ?

Loading

@jasonsaayman
Copy link
Member

@jasonsaayman jasonsaayman commented Sep 2, 2021

Hi, I cannot release the project, I have asked everyone with access the moment that I released this. If there was a way for me to release it I would do so. I have also asked for access to be allowed to process releases.

Loading

@ImRodry
Copy link
Contributor

@ImRodry ImRodry commented Sep 2, 2021

Alright thank you! Hope that gets sorted quickly since I believe this is quite an important one

Loading

@kanatBektursyn
Copy link

@kanatBektursyn kanatBektursyn commented Sep 2, 2021

I've got a question. Is it a normal way of dealing with security issue, when person opens up 10 discussions on several websites and shares it publicly? by the way, potential problem was addressed a year ago in earlier pull request. See My mention, or by clicking this #3446

Loading

@jasonsaayman
Copy link
Member

@jasonsaayman jasonsaayman commented Sep 2, 2021

Normally it is handled privately but in this case it seems to have not been. As for the earlier pull request, I have pretty much been trying to get through stuff on the repo but have also had some other stuff on my plate so was gone for a couple months. I will continue merging stuff and looking into issues more frequently now that I have more time.

Loading

@kanatBektursyn
Copy link

@kanatBektursyn kanatBektursyn commented Sep 2, 2021

Thanks for the answer! Wish you the best

Loading

abhinavkgrd added a commit to ente-io/bada-frame that referenced this issue Sep 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

5 participants