Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regex Denial of Service requires a semver major update to clean-css #3616

Closed
muxator opened this issue Jun 23, 2019 · 3 comments
Closed

Regex Denial of Service requires a semver major update to clean-css #3616

muxator opened this issue Jun 23, 2019 · 3 comments
Labels
security stale code
Milestone
1.8.3

Comments

@muxator
Copy link
Contributor

muxator commented Jun 23, 2019

Etherpad 1.7.5 uses clean-css@3.4.19, which contains a Regular Expression Denial of Service.
A fix would require updating to clean-css@4.2.1, as shown by npm audit:

$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
# Run  npm install clean-css@4.2.1  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ clean-css                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ clean-css                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ clean-css                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/785                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

[...]

The [documentation for clean-css 4.2.1 explains the breaking change]((https://github.com/jakubpawlowicz/clean-css/tree/v4.2.1#important-40-breaking-changes):

clean-css 4.0 introduces some breaking changes:

  • root, relativeTo, and target options are replaced by a single rebaseTo option - this means that rebasing URLs and import inlining is much simpler but may not be (YMMV) as powerful as in 3.x;

And this change affects Etherpad:

etherpad-lite/src/node/utils/Minify.js

Line 418 in 357780d

new CleanCSS({relativeTo: base}).minify(content, function (errors, minified) {

@muxator muxator added this to the 1.8 milestone Jun 23, 2019
This was referenced Jun 23, 2019
Closed
Closed
@muxator muxator modified the milestones: 1.8.0, 1.8.1 Dec 7, 2019
@muxator muxator mentioned this issue Dec 26, 2019
Closed
@JohnMcLear JohnMcLear mentioned this issue Mar 16, 2020
Closed
@muxator
Copy link
Contributor Author

muxator commented Mar 19, 2020

Also, it is to be noted that (apart from the difficulty in making @import statements work in clean-css 4.x (see #3721 (comment)), the library is not actively maintained at the moment.

See this comment by the author, who is doing releases just because of kindness:

[...] The project is not actively maintained anymore and I'm looking into handing it over. [...]

Btw I can release the next version if there's a need.

Originally posted by @jakubpawlowicz in clean-css/clean-css#1105 (comment)

@jakubpawlowicz
Copy link

@muxator that's right, clean-css is not actively maintained anymore apart from occasional security bugfixes and PR from community.

@muxator muxator mentioned this issue Mar 21, 2020
Closed
@muxator
Copy link
Contributor Author

muxator commented Mar 21, 2020

Bumping clean-css from 3.4.19 to 4.2.3 required two changes.

The first one was more or less described in the documentation and in some Github isses. For the second one there was no other way than read the code and understand how to read a local file from an absolute path.

Probably this is worth a documentation PR on clean-css, even if it's out of support. No one has to suffer the same pain again. :)

Changes:

  1. Disabling rebase was necessary because otherwise the URLs for the web fonts ended up being wrong;

    EXAMPLE 1:
    /static/css/src/static/font/fontawesome-etherpad.woff
    instead of
    /static/font/fontawesome-etherpad.woff

    EXAMPLE 2 (this is more surprising):
    /p/src/static/font/opendyslexic.otf
    instead of
    /static/font/opendyslexic.otf

  2. CleanCSS.minify() can either receive a string containing the CSS, or an array of strings. When it receives a string, it is interpreted as the CSS code itself. If it receives an array, each array element is interpreted as an absolute local path from which the CSS file is read. I was not able to find any place in the documentation mentioning this, and it was necessary to study the source code.

Resource inlining was simplified in clean-css 4.x, but now we can no longer give a base path in relativeTo. For this reason, we had to ignore our already loaded content argument, and had to wrap the absolute path to the css file in an array and pass it to minify().

Gosh, this was hard to understand.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security stale code
Projects
None yet
Milestone
1.8.3
Development

Successfully merging a pull request may close this issue.

Update clean-css 3.4.19 -> 4.2.3 JohnMcLear/etherpad-lite
2 participants
@jakubpawlowicz @muxator