Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Regular Expression Denial of Service (ReDoS) #458

Merged
merged 1 commit into from May 17, 2017

Conversation

@hubdotcom
Copy link
Contributor

@hubdotcom hubdotcom commented May 16, 2017

@coveralls
Copy link

@coveralls coveralls commented May 16, 2017

Coverage Status

Coverage remained the same at 63.804% when pulling d49a69f on hubdotcom:patch-1 into 4a6c85c on visionmedia:master.

@designfrontier
Copy link

@designfrontier designfrontier commented May 16, 2017

would love to see this landed :-) I am a way upstream consumer and this is the one open vulnerability I've got at the moment.

@TooTallNate TooTallNate merged commit 15850cb into visionmedia:master May 17, 2017
2 checks passed
2 checks passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
coverage/coveralls Coverage remained the same at 63.804%
Details
@hubdotcom hubdotcom deleted the hubdotcom:patch-1 branch May 17, 2017
@dotchev
Copy link

@dotchev dotchev commented May 31, 2017

We also see this issue in our projects. We depend on debug via a bunch of other packages. It will take some time until all of them are updated.
But I wonder if this issue affects debug at al.
Looking quickly in the code, it seems ms is called only with a number, not with a string. So this ReDoS issue should not be relevant, right?

    var ms = curr - (prevTime || curr);
    self.diff = ms;

https://github.com/visionmedia/debug/blob/master/src/debug.js#L73

exports.humanize = require('ms');

https://github.com/visionmedia/debug/blob/master/src/debug.js#L14

    args.push('\u001b[3' + c + 'm+' + exports.humanize(this.diff) + '\u001b[0m');

https://github.com/visionmedia/debug/blob/master/src/node.js#L115

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

6 participants
You can’t perform that action at this time.