Skip to content
Permalink
Browse files
Fix a possible ReDoS
  • Loading branch information
cronvel committed Oct 12, 2021
1 parent 6e529a5 commit a2e446cc3927b559d0281683feb9b821e83b758c
Showing with 26 additions and 6 deletions.
  1. +6 −0 CHANGELOG
  2. +10 −0 SECURITY.md
  3. +4 −2 browser/termkit.js
  4. +1 −1 browser/termkit.min.js
  5. +4 −2 lib/misc.js
  6. +1 −1 package.json
@@ -1,4 +1,10 @@

v2.1.8
------

Fix a possible ReDoS


v2.1.7
------

@@ -0,0 +1,10 @@

## Reporting a Vulnerability

If you think you have found a vulnerability, _please report responsibly_.
Don't create GitHub issues for security issues.
Instead, send an email to cedric dot ronvel at gmail dot com and I will look into it as soon as possible.

**A note for bounty hunters:** I should mention that I *usually* prefer to fix security issues by myself,
because it could involve rethinking API or fixing it / working around it in a way only an official maintainer can do it.
I want to avoid people getting frustrated: **don't work on a fix before getting in touch with me**.
@@ -19123,9 +19123,11 @@ misc.truncateString = ( str , maxWidth ) => {



// width of a string with a markup, without control chars
// Width of a string with a markup, without control chars
misc.markupWidth = str => {
return string.unicode.width( str.replace( /\^\[[^\]]*]|\^(.)/g , ( match , second ) => {
// Fix a possible ReDoS, the regex: /\^\[[^\]]*]|\^(.)/g was replaced by: /\^\[[^^[\]]*]|\^(.)/g
// The exploit was possible with a string like: '^['.repeat(bigNumber)
return string.unicode.width( str.replace( /\^\[[^^[\]]*]|\^(.)/g , ( match , second ) => {
if ( second === ' ' || second === '^' ) {
return second ;
}

Large diffs are not rendered by default.

@@ -180,9 +180,11 @@ misc.truncateString = ( str , maxWidth ) => {



// width of a string with a markup, without control chars
// Width of a string with a markup, without control chars
misc.markupWidth = str => {
return string.unicode.width( str.replace( /\^\[[^\]]*]|\^(.)/g , ( match , second ) => {
// Fix a possible ReDoS, the regex: /\^\[[^\]]*]|\^(.)/g was replaced by: /\^\[[^^[\]]*]|\^(.)/g
// The exploit was possible with a string like: '^['.repeat(bigNumber)
return string.unicode.width( str.replace( /\^\[[^^[\]]*]|\^(.)/g , ( match , second ) => {
if ( second === ' ' || second === '^' ) {
return second ;
}
@@ -1,6 +1,6 @@
{
"name": "terminal-kit",
"version": "2.1.7",
"version": "2.1.8",
"description": "256 colors, keys and mouse, input field, progress bars, screen buffer (including 32-bit composition and image loading), text buffer, and many more... Whether you just need colors and styles, build a simple interactive command line tool or a complexe terminal app: this is the absolute terminal lib for Node.js!",
"main": "lib/termkit.js",
"directories": {

0 comments on commit a2e446c

Please sign in to comment.