Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please address vulnerabilities to Regular Expression Denial of Service #3125

Closed
animesh-net opened this issue Jul 10, 2023 · 5 comments
Closed

Please address vulnerabilities to Regular Expression Denial of Service #3125

animesh-net opened this issue Jul 10, 2023 · 5 comments

Comments

@animesh-net
Copy link

animesh-net commented Jul 10, 2023
edited

The latest version of this package (newman@5.3.2) has the following vulnerable dependencies:

  1. semver@7.3.5 - This is vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. The non-vulnerable versions of this package are non-compatible with the latest version of newman.
  2. word-wrap@1.2.3 - All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.

References :

  1. CVE-2023-26115
  2. CVE-2022-25883
  3. fix: better handling of whitespace npm/node-semver#564
  4. https://vuldb.com/?id.232060
  5. https://github.com/jonschlinkert/word-wrap/blob/master/index.js#L39
  6. Snyk: snowflake-connector-nodejs word-wrap 1.2.3 | Snyk ID - SNYK-JS-WORDWRAP-3149973 snowflakedb/snowflake-connector-nodejs#454
@tillig
Copy link

tillig commented Jul 10, 2023

Looks like Dependabot tried to submit a PR to upgrade semver.

@animesh-net
Copy link
Author

animesh-net commented Jul 10, 2023
edited

Yeah, that takes care of the semver package. The following PR takes care of the word-wrap package jonschlinkert/word-wrap#33. But going through the conversation it seems like the author of word-wrap package is not maintaining the repo anymore. So we need an alternative package to be used with newman.

@jls47
Copy link

jls47 commented Jul 12, 2023
edited

Has wordwrapjs been considered? I've created a pull request in the package that updates it to support the same functionality and nomenclature as word-wrap. wordwrapjs seems to consider trailing whitespace as part of the line width and will push it to the next line in some situations but that's just about the only difference in use that I've found via testing. Would this still be acceptable as an alternative?

https://github.com/75lb/wordwrapjs
75lb/wordwrapjs#10

The whitespace diff in question: https://abload.de/img/diffspene.png

@lg250137
Copy link

Yeah, that takes care of the semver package. The following PR takes care of the word-wrap package jonschlinkert/word-wrap#33. But going through the conversation it seems like the author of word-wrap package is not maintaining the repo anymore. So we need an alternative package to be used with newman.

The word-wrap PR has been merged.

@stevematney stevematney mentioned this issue Sep 7, 2023
Closed
@codenirvana
Copy link
Member

This is fixed in Newman v6.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tillig @codenirvana @jls47 @animesh-net @lg250137