Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix ReDoS #593

Merged
merged 1 commit into from Apr 22, 2021
Merged

Fix ReDoS #593

merged 1 commit into from Apr 22, 2021

Conversation

@yetingli
Copy link
Contributor

@yetingli yetingli commented Apr 22, 2021

Fix 6 ReDoS-vulnerable regexes with pattern \d*\.?\d+.
Fix strategy: Replace \d*\.?\d+ with \d+|\d*\.\d+

Fix 6 ReDoS-vulnerable regexes with pattern `\d*\.?\d+`.
Fix strategy: Replace  `\d*\.?\d+` with  `(d+|\d*\.\d+)`
@ai
Copy link
Member

@ai ai commented Apr 22, 2021

Thanks for finding ReDoS in PostCSS and Browserslist.

Seems like this RegExp change breaks the query scanner. I will try to fix it.

@ai ai merged commit bd1e9e0 into browserslist:main Apr 22, 2021
0 of 5 checks passed
0 of 5 checks passed
@github-actions
Node.js 15 Full Node.js 15 Full
Details
@github-actions
Node.js 14 Quick Node.js 14 Quick
Details
@github-actions
Node.js 12 Quick Node.js 12 Quick
Details
@github-actions
Node.js 10 Quick Node.js 10 Quick
Details
@github-actions
Node.js 8 Quick Node.js 8 Quick
Details
@ai
Copy link
Member

@ai ai commented Apr 22, 2021

I fixed RegExp by 1013a18

@yetingli
Copy link
Contributor Author

@yetingli yetingli commented Apr 22, 2021

I fixed RegExp by 1013a18

The fixed regex is also safe.

@ai
Copy link
Member

@ai ai commented Apr 22, 2021

Do you have a Twitter account to mention you in release tweets?

@ai
Copy link
Member

@ai ai commented Apr 22, 2021

The fix was released in 4.16.5.

@yetingli
Copy link
Contributor Author

@yetingli yetingli commented Apr 22, 2021

Thanks a lot! My Twitter account is yetingli26

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants