Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

馃敀fix: CVE 2023 26115 (2) #41

Merged
merged 7 commits into from Jul 18, 2023
Merged

馃敀fix: CVE 2023 26115 (2) #41

merged 7 commits into from Jul 18, 2023

Conversation

OlafConijn
Copy link
Collaborator

@OlafConijn OlafConijn commented Jul 13, 2023
edited

Fixes #32

CVE-2023-26115
TLDR; ReDoS, the issue is due to Regex matching algo.

This PR proposes an alternative solution to #33 in which:

  • string.prototype.trimEnd is not used, as this would break when ran on older nodejs runtimes.
  • no (new) regular expressions are vulnerable to ReDoS (e.g. /\s+$/gm).

Performance:

  • The custom trimEnd is slower compared to native string.prototype.trimEnd.
  • The performance of the trimEnd function however is comparable to the original regular expression.

results here

image

@OlafConijn OlafConijn changed the title 馃敀fix: CVE 2023 26115 2 馃敀fix: CVE 2023 26115 (2) Jul 13, 2023
@sawilde
Copy link

sawilde commented Jul 15, 2023

string.prototype.trimEnd is not used, as this would break when ran on older nodejs runtimes.

Is there a reason why we can't use the built-in trimEnd if it is available and only revert to a custom implementation when it is not?

@OlafConijn
Copy link
Collaborator Author

OlafConijn commented Jul 15, 2023
edited

Is there a reason why we can't use the built-in trimEnd if it is available and only revert to a custom implementation when it is not?

We certainly could. it would be a nice performance improvement for those running node >=10

I think using the built-in trimEnd requires a slight bit more discussion/thought as this strips out more than just & \t (see here). As the library is used widely it is hard to oversee the effects of changing the implementation to use trimEnd.

I do think it's more likely to be an improvement than a regression. I would hoever advocate for making it a different release where consumers can roll back on the trimEnd change without having to roll back to a version that is vulnerable to CVE 2023 26115.

@doowb
Copy link
Collaborator

doowb commented Jul 18, 2023

Thanks @OlafConijn !

I'm merging and publishing this fix now.

@doowb doowb merged commit 420dce9 into master Jul 18, 2023
@doowb doowb mentioned this pull request Jul 18, 2023
Merged
@bgswilde bgswilde mentioned this pull request Jul 18, 2023
Closed
@ledsun ledsun mentioned this pull request Jul 18, 2023
Merged
This was referenced Jul 18, 2023
Merged
Merged
This was referenced Jul 19, 2023
Closed
Closed
@liaocanada liaocanada mentioned this pull request Jul 19, 2023
Merged
This was referenced Jul 19, 2023
Merged
Merged
Merged
This was referenced Jul 19, 2023
Merged
Merged
Merged
This was referenced Jul 19, 2023
Merged
Merged
Merged
@Pittufo Pittufo mentioned this pull request Jul 19, 2023
Open
@lentz lentz mentioned this pull request Jul 19, 2023
Merged
@davidshen84 davidshen84 mentioned this pull request Jul 20, 2023
Merged
@louiechristie louiechristie mentioned this pull request Jul 20, 2023
Merged
@andrejkurusiov andrejkurusiov mentioned this pull request Jul 20, 2023
Merged
@rkokkelk rkokkelk mentioned this pull request Jul 20, 2023
Merged
@bolt-io bolt-io mentioned this pull request Jul 20, 2023
Closed
@neferin12 neferin12 mentioned this pull request Jul 20, 2023
Merged
This was referenced Jul 20, 2023
Merged
Merged
@Uriei Uriei mentioned this pull request Jul 20, 2023
Merged
@edgeboyo edgeboyo mentioned this pull request Jul 20, 2023
Merged
@instapr instapr bot mentioned this pull request Jul 20, 2023
Merged
@hamsbrar hamsbrar mentioned this pull request Jul 22, 2023
Merged
This was referenced Jul 31, 2023
Closed
Merged
github-actions bot pushed a commit to brafdlog/caspion that referenced this pull request Dec 4, 2023
@semantic-release-bot
chore(release): 1.16.0 [skip ci]
512d11e 
# [1.16.0](v1.15.0...v1.16.0) (2023-12-04)

### Upgrade

* Bump word-wrap from 1.2.3 to 1.2.5 (#516) ([9c9251b](9c9251b)), closes [#516](#516) [jonschlinkert/word-wrap#24](jonschlinkert/word-wrap#24) [jonschlinkert/word-wrap#41](jonschlinkert/word-wrap#41) [jonschlinkert/word-wrap#33](jonschlinkert/word-wrap#33) [jonschlinkert/word-wrap#42](jonschlinkert/word-wrap#42) [jonschlinkert/word-wrap#24](jonschlinkert/word-wrap#24) [jonschlinkert/word-wrap#41](jonschlinkert/word-wrap#41) [jonschlinkert/word-wrap#33](jonschlinkert/word-wrap#33) [#42](#42) [#41](#41)
@sync-by-unito sync-by-unito bot mentioned this pull request Jan 31, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tlakomy tlakomy tlakomy approved these changes

@jonschlinkert jonschlinkert Awaiting requested review from jonschlinkert

@doowb doowb Awaiting requested review from doowb

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Regular Expression Denial of Service (ReDoS) - CVE-2023-26115
5 participants
@OlafConijn @sawilde @doowb @tlakomy @aashutoshrathi