-
-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update index.js #247
Update index.js #247
Conversation
edited the regex on line 448 in order to make it lazy instead of greedy. This should not affect how this if statement works at all, but will reduce the risk of a Regular Expression Denial of Service from larger patterns.
@jonschlinkert can this be merged? it will fix this issue: CVE Detailed Information |
Hello @RobinGiel @jonschlinkert, Thank you for the mention. We have analyzed this and concluded that the issue is not fully solved even with the lazy regex. In the tests we did, we were still able to cause backtracking by opening various braces, and the execution will hang for longer as the number of braces provided increases. We see you mentioned "CVE" so we would like to know if you requested CVEs yourself. We don't want to create duplicate entries. Thank you for your time. Best regards, |
Hi @jonschlinkert, Thank you for merging the changes earlier. However, we remind you that the issue is still present. Additionally, we would appreciate knowing if you requested a CVE so we avoid double work. Best regards, |
Yeah @MarioTeixeiraCx pls roll out this version with the fixes asap. thank you |
Hello @RobinGiel and @jonschlinkert, I am reaching out to see if you have an answer regarding Mário inquiry about the CVEs. We have the means to reserve the CVEs and in case all is agreed on our side we will publish them in the coming weeks. Thank you for your time and dedication to address the reported items. Best Regards, |
Hello @RobinGiel and @jonschlinkert, The CVEs are now public. You can see this comment for more details: Best regards, |
edited the regex on line 448 in order to make it lazy instead of greedy. This should not affect how this if statement works at all, but will reduce the risk of a Regular Expression Denial of Service from larger patterns.
Hello, and thanks for contributing to micromatch!
tldr
There are three main goals in this document, depending on the nature of your pr:
The following sections provide more detail on each.
Improve this document
Please don't hesitate to ask questions for clarification, or to make suggestions (or a pull request) to improve this document.
Description
To help the project's maintainers and community to quickly understand the nature of your pull request, please create a description that incorporates the following elements:
edited the regex on line 448 in order to make it lazy instead of greedy. This should not affect how this if statement works at all, but will reduce the risk of a Regular Expression Denial of Service from larger patterns.
Checklist
Please use the checklist that is most closely related to your pr (you only need to use one checklist, and you can skip items that aren't applicable or don't make sense):
Fixing typos
Documentation
Bug Fix
These checklist items were not applicable to this fix.
New Feature
Thanks for contributing!
Readme advice
Please review this section if you are updating readme documentation.
Readme template
This project uses verb for documentation. Verb generates the project's readme documentation from the .verb.md template in the root of this project.
Make all documentation changes in
.verb.md
, and please do not edit the readme.md directly, or your changes might accidentally get overwritten.Code comments
Please add code comments (following the same style as existing comments) to describe any code changes or new code introduced by your pull request.
Optionally build the readme
Any changes made
.verb.md
and/or code comments will be automatically incorporated into the README documentation the next timeverb
is run.We can take care of building the documentation for you when we merge in your changes, or feel free to run verb yourself. Whatever you prefer is fine with us.