-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
glob-parent introduces ReDoS vulnerability #4454
Comments
@simonhmadsen, your issue link links to this same issue. |
Thanks - should be fixed now |
Snyk's Tailwind page shows that there are 3 transitive dependencies resulting in a ReDoS vulnerability. @adamwathan, are you sure there isn't an issue there? |
Hey! How would you exploit this in Tailwind? As a build tool run locally with controlled input I'm not sure there's actually anything to attack here. If you had this vulnerability in an API endpoint in your app or something it would be different, but Tailwind just generates a static CSS file and that's the only thing you deploy, and there are no attack vectors in the CSS file. |
This is a valid question, and I agree with you that there is no vulnerability to malicious users here. Perhaps only if Tailwind would get compromised ;) That said, automatic tools like So while I'm not pushing for a fix here (and I'm not speaking on behalf of OP @simonhmadsen), it will be interesting to see how these kinds of vulnerabilities will be handled in the future. |
We've removed the dependency to avoid the warnings, will go away in the next release 👍🏻 |
Awesome! Thanks for the near-immediate response and swift action! |
@adamwathan This is not fixed because |
It'll be fixed in 2.2. |
What version of Tailwind CSS are you using?
2.1.2
What build tool (or framework if it abstracts the build tool) are you using?
webpack@5.14.0
What version of Node.js are you using?
v14.11.0
What browser are you using?
Chrome
What operating system are you using?
macOS
Reproduction repository
https://github.com/tailwindlabs/tailwindcss
Describe your issue
I previously opened an issue related to a ReDoS vulnerability in tailwind caused by the indirect dependency on glob-parent, but it was closed with the comment:
I attempted to make this work, but i don't think it is possible.
Even after deduplicating and optimizing the lock-file, glob-parent is still present in a version from before the fix was introduced. It seems that the following dependency relationship introduces the vulnerability
tailwindcss@2.1.2 › parse-glob@3.0.4 › glob-base@0.3.0 › glob-parent@2.0.0
Unfortunately, parse-glob hasn't been updated in the last 6 years, so the newest version is 3.0.4, and the same goes for glob-base, so the only solution i can think of, is to replace parse-glob with a different library.
The text was updated successfully, but these errors were encountered: