-
-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2021-33623 is a lie #5
Comments
That's just because I screwed up the test case: 37681e9 |
Thanks for updating the tests, you're right that does show the backtracking issue properly. |
I totally agree "vulnerabilities" like these should not exist at all. This is a flaw in JS/V8 and should be fixed in engines. I'm hoping for a non-backtracking RegExp engine at some point: https://v8.dev/blog/non-backtracking-regexp |
Hi! I'm here because of a dependabot alert on a project using stylelint which ends up depending on this package.
essence The security issue that claims to have been fixed in 25246c6 does not exist.
Rather than diving into the details of how exponential backtracking can happen with regexps (and whether that's really worth a CVE in the first place), it's pretty easy to show the original code was not affected. Just revert your implementation change and re-run the tests you added - they still pass. Get them to print timings - the time for all input sizes is ~0ms.
It's not clear to me how CVE-2021-33623 was reported and assigned. Some kind of external CVE stuffing exercise?
As this just seems to be a library you made to help your own projects I'm not going wave left-pad around too much, but will point out the original (and perfectly fine) implementation is 4 lines of code.
The text was updated successfully, but these errors were encountered: