Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regular Expression Denial of Service (ReDoS) on dependency 'word-wrap' #44

Closed
Globant-Eduardo-Cerda opened this issue Apr 3, 2023 · 13 comments
Closed

Regular Expression Denial of Service (ReDoS) on dependency 'word-wrap' #44

Globant-Eduardo-Cerda opened this issue Apr 3, 2023 · 13 comments

Comments

@Globant-Eduardo-Cerda
Copy link

Based on this post

Software like snyk / DependencyTrack are yielding a ReDoS on the word-wrap package. This affects you because of the direct dependency on your project.
@icbat
Copy link

icbat commented Apr 17, 2023

Thread from word-wrap for reference. It's unclear when/if that's going to be fixed at the library level, at time of writing I haven't seen anything from the maintainer in that thread yet.

@SharpFu
Copy link

SharpFu commented Apr 21, 2023

I have meet this issue.

@SharpFu
Copy link

SharpFu commented Apr 21, 2023

@gkz , If you have free time ,pls help to fix this issue. thanks.

@gkz
Copy link
Owner

gkz commented Apr 21, 2023

What issue did you actually encounter?
The author of the CLI tool using Optionator would need to purposefully make a bad description. It doesn't operate on user generated input. You could simply not use that CLI tool?
I understand the theoretical problem, and am happy to update to another package, but I'm just not understanding the actual issue in practice.

@icbat
Copy link

icbat commented Apr 22, 2023

For me at least, I don't think there really is an actual technical issue. The problem I'm hitting is that some organizations treat all CVEs the same. My personal use-case is using eslint; which doesn't have a lot of surface area for a real ReDoS vector. However, it still flags the same as anything else, and I am still required to remediate (or file exceptions, etc.).

@gkz
Copy link
Owner

gkz commented Apr 22, 2023

Does anyone have a suggestion for an alternate package?

(I've already had to change the word wrap package once already, when the original one had licensing issues!)

@SharpFu
Copy link

SharpFu commented Apr 24, 2023
edited

@gkz I am used "eslint": "^7.14.0" and when I use snyk check my project. and then throw a error as the image
image

@gkz
Copy link
Owner

gkz commented Apr 24, 2023

I mean an alternative for word-wrap

@mdjermanovic mdjermanovic mentioned this issue Apr 25, 2023
Closed
1 task
@rhuddleston
Copy link

wordwrapjs maybe?

@emrysal emrysal mentioned this issue May 14, 2023
Closed
@wellwelwel
Copy link

wellwelwel commented Jun 28, 2023
edited

Does anyone have a suggestion for an alternate package?

Hi @gkz.

For now, I think the @aashutoshrathi's word-wrap fork is a good alternative, because it only changes a single fix focused on the vulnerability. In other words, it won't break anything.

You can comparing changes here and see the @aashutoshrathi's npm package.

Regardless, I see this as a temporary measure.

References:

@gkz gkz closed this as completed in 06fd3a5 Jun 28, 2023
@gkz
Copy link
Owner

gkz commented Jun 28, 2023

I have published 0.9.2 that should resolve the issue.

Thanks @wellwelwel for the tip.

@devpeerapong
Copy link

devpeerapong commented Jun 28, 2023
edited

Did you publish the package to npm ?
Sorry, I just hit refresh and it's there.
Thanks, Great job @gkz !

akunzai added a commit to akunzai/GSS.Authentication.CAS that referenced this issue Jun 28, 2023
@akunzai
Fix ReDoS in word-wrap
bcaec23 
- GHSA-j8xg-fqg3-53r7
- gkz/optionator#44
@akunzai akunzai mentioned this issue Jun 28, 2023
Merged
akunzai added a commit to akunzai/GSS.Authentication.CAS that referenced this issue Jun 28, 2023
@akunzai
Fix ReDoS in word-wrap
67f415a 
- GHSA-j8xg-fqg3-53r7
- gkz/optionator#44
@aduth aduth mentioned this issue Jun 28, 2023
Merged
This was referenced Jun 28, 2023
Closed
Closed
akunzai added a commit to akunzai/angular-boilerplate that referenced this issue Jul 5, 2023
@akunzai
Fix ReDoS in word-wrap
4ede4a9 
- GHSA-j8xg-fqg3-53r7
- gkz/optionator#44
@TrangPham TrangPham mentioned this issue Jul 17, 2023
Merged
4 tasks
@wellwelwel wellwelwel mentioned this issue Jul 19, 2023
Closed
@wellwelwel
Copy link

wellwelwel commented Jul 19, 2023
edited

Hi, @gkz 🙋🏻‍♂️

As before in my comment:

Regardless, I see this as a temporary measure.

I would just like to say that the security issue has been solved in the original word-wrap project today 🎉

Related:

@zburke zburke mentioned this issue Mar 15, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@icbat @gkz @rhuddleston @devpeerapong @SharpFu @wellwelwel @Globant-Eduardo-Cerda