Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Regular Expression Denial of Service (ReDoS) #458

merged 1 commit into from May 17, 2017


Copy link

Copy link

coveralls commented May 16, 2017

Coverage Status

Coverage remained the same at 63.804% when pulling d49a69f on hubdotcom:patch-1 into 4a6c85c on visionmedia:master.

Copy link

would love to see this landed :-) I am a way upstream consumer and this is the one open vulnerability I've got at the moment.

@TooTallNate TooTallNate merged commit 15850cb into debug-js:master May 17, 2017
Copy link

live on

@hubdotcom hubdotcom deleted the patch-1 branch May 17, 2017 09:49
Copy link

dotchev commented May 31, 2017

We also see this issue in our projects. We depend on debug via a bunch of other packages. It will take some time until all of them are updated.
But I wonder if this issue affects debug at al.
Looking quickly in the code, it seems ms is called only with a number, not with a string. So this ReDoS issue should not be relevant, right?

    var ms = curr - (prevTime || curr);
    self.diff = ms;

exports.humanize = require('ms');

    args.push('\u001b[3' + c + 'm+' + exports.humanize(this.diff) + '\u001b[0m');

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet

Successfully merging this pull request may close these issues.

None yet

6 participants