New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerable Regular Expression #501

Closed
cristianstaicu opened this Issue Sep 5, 2017 · 3 comments

Comments

Projects
None yet
3 participants
@cristianstaicu
Copy link

cristianstaicu commented Sep 5, 2017

The following regular expression used in the "o" formatter is vulnerable to ReDoS:

/\s*\n\s*/

The slowdown is moderately low: for 50.000 characters around 2 seconds matching time. However, I would still suggest one of the following:

  • remove the regex,
  • anchor the regex,
  • limit the number of characters that can be matched by the repetition,
  • limit the input size.

If needed, I can provide an actual example showing the slowdown.

@TooTallNate

This comment has been minimized.

Copy link
Member

TooTallNate commented Sep 13, 2017

Thanks for the report. Patch welcome! The %o formatter by design needs to remove the newlines but any performance optimizations are ❤️ 👍

@fadookie

This comment has been minimized.

Copy link

fadookie commented Sep 26, 2017

@TooTallNate As far as I can tell no security patch for this issue has yet been released for 3.x, is this in the works? Thanks!

@TooTallNate

This comment has been minimized.

Copy link
Member

TooTallNate commented Sep 26, 2017

@fadookie Yes correct, thanks for the nudge. v3.1.0 has now been published.

@saadtazi saadtazi referenced this issue Oct 28, 2017

Closed

bump debug package version #3099

1 of 5 tasks complete

saadtazi added a commit to saadtazi/express that referenced this issue Oct 28, 2017

update debug package version
Fixes a security vulnerability: visionmedia/debug#501

platinumazure added a commit to eslint/eslint that referenced this issue Dec 18, 2017

Upgrade: debug@^3.1.0
This version of debug addresses a minor ReDoS issue. See visionmedia/debug#501, visionmedia/debug#504 for more information. Looking at the rest of the changelog, this should be a pretty low-risk upgrade.

aladdin-add added a commit to eslint/eslint that referenced this issue Dec 19, 2017

Upgrade: debug@^3.1.0 (#9731)
This version of debug addresses a minor ReDoS issue. See visionmedia/debug#501, visionmedia/debug#504 for more information. Looking at the rest of the changelog, this should be a pretty low-risk upgrade.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment