Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable Regular Expression #510

Closed
cristianstaicu opened this issue Sep 8, 2017 · 11 comments
Closed

Vulnerable Regular Expression #510

cristianstaicu opened this issue Sep 8, 2017 · 11 comments

Comments

@cristianstaicu
Copy link

The following regular expression used in unescapeHTML is vulnerable to ReDoS:

/\&([^;]+);/g

The slowdown is moderately low: for 50.000 characters around 2 seconds matching time. However, I would still suggest one of the following:

  • remove the regex,
  • anchor the regex,
  • limit the number of characters that can be matched by the repetition,
  • limit the input size.

If needed, I can provide an actual example showing the slowdown.
@simonstewart-bridgement
Copy link

Any movement on this?

esamattis added a commit that referenced this issue Oct 3, 2018
@esamattis
Try to fix regexp redos
f486cd6 
fixes  #510
@esamattis esamattis mentioned this issue Oct 3, 2018
Merged
@esamattis
Copy link
Owner

Maybe? #517

@esamattis esamattis mentioned this issue Oct 3, 2018
Closed
@esamattis
Copy link
Owner

Fix released in 3.3.5. Please reopen if still an issue.

@ghost ghost mentioned this issue Feb 1, 2019
Closed
@magesh0819
Copy link

magesh0819 commented Jun 11, 2019
edited
Loading

Though the regex in question has been updated in unescapeHTML.js it is still present in underscore.string.js and underscore.string.min.js. Hence the 3.3.5 version in npm registry is still vulnerable to the Regular expression Denial of Service (ReDoS) attack.

I believe the dist was not recreated after the fix. Need to rebuild underscore.string.js and underscore.string.min.js and release new version to npm.

@claudiopro claudiopro mentioned this issue Jun 16, 2019
Closed
akito19 added a commit to akito19/sider-docs that referenced this issue Jun 19, 2019
@akito19
Calm security alert
9e9fe3b 
under.score package had valnerability:
esamattis/underscore.string#510

Therefore, I upgraded the package together with other packages by `yarn
upgrade`. There will be tolerable execution since we have 8 days after
running `yarn upgrade` and almost upgraded packages were minor updates.
vBm added a commit to OmertaBeyond/OBv3 that referenced this issue Aug 21, 2019
@vBm
Security: rehash lock file
b729da8 
This fixes the following issues
- CVE-2018-3750 (deep-extend) - https://nvd.nist.gov/vuln/detail/CVE-2018-3750
- CVE-2018-16469 (merge) - https://nvd.nist.gov/vuln/detail/CVE-2018-16469
- CVE-2019-1010266 (lodash) - https://nvd.nist.gov/vuln/detail/CVE-2019-1010266
- WS-2019-0032 (js-yaml) - nodeca/js-yaml#475
- WS-2019-0063 (js-yaml) - nodeca/js-yaml#480
- WS-2018-0232 (underscore.string) - esamattis/underscore.string#510
@PenguinOfWar
Copy link

PenguinOfWar commented Feb 7, 2020
edited
Loading

This appears to still be an issue. NPM audit is showing a vulnerability for this package even when fully up to date with the latest version.

Am I missing something?

@esamattis
Copy link
Owner

We tried to fix this issue sometime ago. Really not sure what should be done more to solve it. PRs are very much welcome.

I'll re-open this issue to get more eyes on it.

@esamattis esamattis reopened this Feb 7, 2020
@PenguinOfWar PenguinOfWar mentioned this issue Feb 8, 2020
Closed
@PenguinOfWar
Copy link

We tried to fix this issue sometime ago. Really not sure what should be done more to solve it. PRs are very much welcome.

I'll re-open this issue to get more eyes on it.

Thanks @esamattis.

I have created a pull request for this issue: #525

Appreciate if you can check and, if happy, merge and redeploy to npm to resolve this vulnerability.

@PenguinOfWar
Copy link

Any update on this?

@rustybailey rustybailey mentioned this issue Apr 23, 2021
Closed
This was referenced Jun 9, 2021
Closed
Closed
Closed
Closed
This was referenced Jun 10, 2021
Closed
Closed
Closed
This was referenced Jun 10, 2021
Open
Closed
This was referenced Jun 14, 2021
Closed
Open
This was referenced Oct 15, 2021
Closed
Closed
This was referenced Oct 18, 2021
Open
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Oct 20, 2021
Closed
This was referenced Oct 26, 2021
Closed
Open
This was referenced Nov 5, 2021
Open
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Nov 22, 2021
Open
@carneam
Copy link

carneam commented Jan 10, 2022

Hi, is there any update on the merge eta to correct the outstanding vulnerability issue?

@esamattis
Copy link
Owner

3.3.6 is out.

@mend-for-github-com mend-for-github-com bot mentioned this issue Feb 8, 2022
Open
This was referenced Feb 9, 2022
Open
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Feb 22, 2022
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Mar 11, 2022
Open
@debricked debricked bot mentioned this issue May 3, 2022
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Oct 31, 2022
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Feb 26, 2023
Open
@github-actions github-actions bot mentioned this issue Apr 4, 2023
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Aug 14, 2023
Closed
@dev-mend-for-github-com dev-mend-for-github-com bot mentioned this issue Oct 12, 2023
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Oct 19, 2023
Open
This was referenced Feb 8, 2024
Open
Open
This was referenced Mar 20, 2024
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@esamattis @cristianstaicu @PenguinOfWar @magesh0819 @simonstewart-bridgement @DarkAbstergo @carneam