Update index.js

[ZoomerTedJackson]

edited the regex on line 448 in order to make it lazy instead of greedy. This should not affect how this if statement works at all, but will reduce the risk of a Regular Expression Denial of Service from larger patterns.

Hello, and thanks for contributing to micromatch!

tldr

There are three main goals in this document, depending on the nature of your pr:

• description: please tell us about your pr
• checklist: please review the checklist that is most closly related to your pr

The following sections provide more detail on each.

Improve this document

Please don't hesitate to ask questions for clarification, or to make suggestions (or a pull request) to improve this document.

Description

To help the project's maintainers and community to quickly understand the nature of your pull request, please create a description that incorporates the following elements:

• what is accomplished by the pr
• [] if there is something potentially controversial in your pr, please take a moment to tell us about your choices

edited the regex on line 448 in order to make it lazy instead of greedy. This should not affect how this if statement works at all, but will reduce the risk of a Regular Expression Denial of Service from larger patterns.

Checklist

Please use the checklist that is most closely related to your pr (you only need to use one checklist, and you can skip items that aren't applicable or don't make sense):

• fixing typos
• documentation
• bug fix
• new feature
• other

Fixing typos

• Please review the readme advice section before submitting changes

Documentation

• Please review the readme advice section before submitting changes

Bug Fix

• All existing unit tests are still passing (if applicable)
• Add new passing unit tests to cover the code introduced by your pr
• Update the readme (see readme advice)
• Update or add any necessary API documentation

These checklist items were not applicable to this fix.

New Feature

• If this is a big feature with breaking changes, consider opening an issue to discuss first. This is completely up to you, but please keep in mind that your pr might not be accepted.
• Run unit tests to ensure all existing tests are still passing
• Add new passing unit tests to cover the code introduced by your pr
• Update the readme (see readme advice)

Thanks for contributing!

Readme advice

Please review this section if you are updating readme documentation.

Readme template

This project uses verb for documentation. Verb generates the project's readme documentation from the .verb.md template in the root of this project.

Make all documentation changes in .verb.md, and please do not edit the readme.md directly, or your changes might accidentally get overwritten.

Code comments

Please add code comments (following the same style as existing comments) to describe any code changes or new code introduced by your pull request.

Optionally build the readme

Any changes made .verb.md and/or code comments will be automatically incorporated into the README documentation the next time verb is run.

We can take care of building the documentation for you when we merge in your changes, or feel free to run verb yourself. Whatever you prefer is fine with us.

[RobinGiel]

@jonschlinkert can this be merged? it will fix this issue:

CVE Detailed Information
Credit: Checkmarx
Published: Jan 24, 2024
The NPM package "micromatch" is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in "micromatch.braces()" in "index.js" because the pattern ".*" will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. This issue could be mitigated by using a safe pattern that won't start backtracking the regular expression due to its greedy matching.

[MarioTeixeiraCx]

Hello @RobinGiel @jonschlinkert,

Thank you for the mention.

We have analyzed this and concluded that the issue is not fully solved even with the lazy regex. In the tests we did, we were still able to cause backtracking by opening various braces, and the execution will hang for longer as the number of braces provided increases.

We see you mentioned "CVE" so we would like to know if you requested CVEs yourself. We don't want to create duplicate entries.

Thank you for your time.

Best regards,
Mário Teixeira

[MarioTeixeiraCx]

Hi @jonschlinkert,

Thank you for merging the changes earlier. However, we remind you that the issue is still present.

Additionally, we would appreciate knowing if you requested a CVE so we avoid double work.

Best regards,
Mário Teixeira

[rmn183]

Yeah @MarioTeixeiraCx pls roll out this version with the fixes asap. thank you

[rjegoncalves]

Hello @RobinGiel @jonschlinkert,

Thank you for the mention.

We have analyzed this and concluded that the issue is not fully solved even with the lazy regex. In the tests we did, we were still able to cause backtracking by opening various braces, and the execution will hang for longer as the number of braces provided increases.

We see you mentioned "CVE" so we would like to know if you requested CVEs yourself. We don't want to create duplicate entries.

Thank you for your time.

Best regards, Mário Teixeira

Hello @RobinGiel and @jonschlinkert,

I am reaching out to see if you have an answer regarding Mário inquiry about the CVEs.
And to understand if there's anything else we can help you with regarding the two reported security vulnerabilities (#243).

We have the means to reserve the CVEs and in case all is agreed on our side we will publish them in the coming weeks.

Thank you for your time and dedication to address the reported items.

Best Regards,
Ricardo Gonçalves

[MarioTeixeiraCx]

Hello @RobinGiel and @jonschlinkert,

The CVEs are now public. You can see this comment for more details:
#243 (comment)

Best regards,
Mário Teixeira