CVE-2021-33623 is a lie

[bz2]

Hi! I'm here because of a dependabot alert on a project using stylelint which ends up depending on this package.

$ npm ls trim-newlines
...
└─┬ stylelint@13.13.1
  └─┬ meow@9.0.0
    └── trim-newlines@3.0.0

essence The security issue that claims to have been fixed in 25246c6 does not exist.

Rather than diving into the details of how exponential backtracking can happen with regexps (and whether that's really worth a CVE in the first place), it's pretty easy to show the original code was not affected. Just revert your implementation change and re-run the tests you added - they still pass. Get them to print timings - the time for all input sizes is ~0ms.

It's not clear to me how CVE-2021-33623 was reported and assigned. Some kind of external CVE stuffing exercise?

As this just seems to be a library you made to help your own projects I'm not going wave left-pad around too much, but will point out the original (and perfectly fine) implementation is 4 lines of code.

[sindresorhus]

Just revert your implementation change and re-run the tests you added - they still pass. Get them to print timings - the time for all input sizes is ~0ms.

That's just because I screwed up the test case: 37681e9

[bz2]

Thanks for updating the tests, you're right that does show the backtracking issue properly.

[sindresorhus]

I totally agree "vulnerabilities" like these should not exist at all. This is a flaw in JS/V8 and should be fixed in engines. I'm hoping for a non-backtracking RegExp engine at some point: https://v8.dev/blog/non-backtracking-regexp