We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hi,
I would like to report a Regular Expression Denial of Service (REDoS) vulnerability in three.
It allows cause a denial of service when handling rgb or hsl colors.
The vulnerable regex is located in
three.js/src/math/Color.js
Line 166 in 2d04b4b
To Reproduce
Steps to reproduce the behavior:
Code
var three = require('three') function build_blank (n) { var ret = "rgb(" for (var i = 0; i < n; i++) { ret += " " } return ret + ""; } var Color = three.Color var time = Date.now(); new Color(build_blank(50000)) var time_cost = Date.now() - time; console.log(time_cost+" ms")
I am willing to suggest that you replace the regex /^((?:rgb|hsl)a?)\(\s*([^\)]*)\)/ with /^((?:rgb|hsl)a?)\(\s*([^\)\s]*)\)/
/^((?:rgb|hsl)a?)\(\s*([^\)]*)\)/
/^((?:rgb|hsl)a?)\(\s*([^\)\s]*)\)/
The text was updated successfully, but these errors were encountered:
I made a pull request for this: #21142
Sorry, something went wrong.
No branches or pull requests
Hi,
I would like to report a Regular Expression Denial of Service (REDoS) vulnerability in three.
It allows cause a denial of service when handling rgb or hsl colors.
The vulnerable regex is located in
three.js/src/math/Color.js
Line 166 in 2d04b4b
To Reproduce
Steps to reproduce the behavior:
Code
I am willing to suggest that you replace the regex
/^((?:rgb|hsl)a?)\(\s*([^\)]*)\)/with/^((?:rgb|hsl)a?)\(\s*([^\)\s]*)\)/The text was updated successfully, but these errors were encountered: