Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Regular Expression Denial of Service (ReDoS) #458

merged 1 commit into from May 17, 2017


Copy link

@hubdotcom hubdotcom commented May 16, 2017

Copy link

@coveralls coveralls commented May 16, 2017

Coverage Status

Coverage remained the same at 63.804% when pulling d49a69f on hubdotcom:patch-1 into 4a6c85c on visionmedia:master.

Copy link

@designfrontier designfrontier commented May 16, 2017

would love to see this landed :-) I am a way upstream consumer and this is the one open vulnerability I've got at the moment.

@TooTallNate TooTallNate merged commit 15850cb into visionmedia:master May 17, 2017
2 checks passed
2 checks passed
continuous-integration/travis-ci/pr The Travis CI build passed
coverage/coveralls Coverage remained the same at 63.804%
@hubdotcom hubdotcom deleted the hubdotcom:patch-1 branch May 17, 2017
Copy link

@dotchev dotchev commented May 31, 2017

We also see this issue in our projects. We depend on debug via a bunch of other packages. It will take some time until all of them are updated.
But I wonder if this issue affects debug at al.
Looking quickly in the code, it seems ms is called only with a number, not with a string. So this ReDoS issue should not be relevant, right?

    var ms = curr - (prevTime || curr);
    self.diff = ms;

exports.humanize = require('ms');

    args.push('\u001b[3' + c + 'm+' + exports.humanize(this.diff) + '\u001b[0m');

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

6 participants
You can’t perform that action at this time.