Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix ReDoS in previous-map #1567

Merged
merged 1 commit into from
Apr 26, 2021
Merged

Fix ReDoS in previous-map #1567

merged 1 commit into from
Apr 26, 2021

Conversation

yetingli
Copy link
Contributor

Fix Strategy: Replace (.*) with (?:(?!sourceMappingURL=).)*

Fix Strategy: Replace `(.*)` with `(?:(?!sourceMappingURL=).)*`
@ai ai merged commit 2b1d04c into postcss:main Apr 26, 2021
@ai
Copy link
Member

ai commented Apr 26, 2021

Thanks. Released in 8.2.13.

@AndrewRayCode
Copy link

I'm looking at snyk and I don't understand how this would be exploited. Would you somehow need to construct a malicious source map (?) and inject it (?) into someone's build pipeline that uses postcss?

@ai
Copy link
Member

ai commented May 13, 2021

@AndrewRayCode yeap. It could be used on services like CodePen, when users use servers to compile user’s CSS.

And it is not a real vulnerability. But a way to increase used resources. Even without fixing PostCSS you can add extra timeout check and kill commands which takes too much time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants