glob-parent introduces ReDoS vulnerability

[simonhmadsen]

What version of Tailwind CSS are you using?

2.1.2

What build tool (or framework if it abstracts the build tool) are you using?

webpack@5.14.0

What version of Node.js are you using?

v14.11.0

What browser are you using?

Chrome

What operating system are you using?

macOS

Reproduction repository

https://github.com/tailwindlabs/tailwindcss

Describe your issue

I previously opened an issue related to a ReDoS vulnerability in tailwind caused by the indirect dependency on glob-parent, but it was closed with the comment:

Hey! This is a transitive dependency for us but we are on 5.1.2 in our lock file already. For anyone who installs Tailwind, the lock file will be ignored but they should get the latest version.

I attempted to make this work, but i don't think it is possible.

Even after deduplicating and optimizing the lock-file, glob-parent is still present in a version from before the fix was introduced. It seems that the following dependency relationship introduces the vulnerability

tailwindcss@2.1.2 › parse-glob@3.0.4 › glob-base@0.3.0 › glob-parent@2.0.0

Unfortunately, parse-glob hasn't been updated in the last 6 years, so the newest version is 3.0.4, and the same goes for glob-base, so the only solution i can think of, is to replace parse-glob with a different library.

[sephie]

@simonhmadsen, your issue link links to this same issue.

[simonhmadsen]

@simonhmadsen, your issue link links to this same issue.

Thanks - should be fixed now

[sephie]

Snyk's Tailwind page shows that there are 3 transitive dependencies resulting in a ReDoS vulnerability.

@adamwathan, are you sure there isn't an issue there?

[adamwathan]

Hey! How would you exploit this in Tailwind? As a build tool run locally with controlled input I'm not sure there's actually anything to attack here. If you had this vulnerability in an API endpoint in your app or something it would be different, but Tailwind just generates a static CSS file and that's the only thing you deploy, and there are no attack vectors in the CSS file.

[sephie]

This is a valid question, and I agree with you that there is no vulnerability to malicious users here. Perhaps only if Tailwind would get compromised ;)

That said, automatic tools like npm audit and Snyk do not make this distinction and will warn about any transitive dependency regardless of the use case or "realistic vulnerability". I expect more and more OSS users will have automatic vulnerability scanning as part of their build pipelines, resulting in failed builds, etc.

So while I'm not pushing for a fix here (and I'm not speaking on behalf of OP @simonhmadsen), it will be interesting to see how these kinds of vulnerabilities will be handled in the future.

[adamwathan]

We've removed the dependency to avoid the warnings, will go away in the next release 👍🏻

[simonhmadsen]

Awesome!

Thanks for the near-immediate response and swift action!

[nikoladev]

@adamwathan This is not fixed because parse-glob is still a dependency in tailwindcss@2.1.4. Could it be because in the 2.1 branch parse-glob can still be found in package.json? Source

[adamwathan]

It'll be fixed in 2.2.