Vulnerable Regular Expression #82
Comments
|
As this issue is public, we've issued an advisory here https://nodesecurity.io/advisories/537 as well as requested help from the public to submit a PR / help patch this issue. |
|
If it helps anyone, here are some references for similar issues which have been fixed in different ways: jshttp/forwarded@d469116 I don't have the time to work on this right now, but we have dealing with these issues reported by @cristianstaicu for the past couple of weeks, so it was easy for me to pull up these references as to how others have addressed the ReDOS issues. |
|
Hello, One of the NPM package we use had been blocked by our Nexus IQ Server because it has a dependency to slug which is blocked due to this vulnerability... I would like to fix this and I have checked the different examples of solution provided by @wesleytodd but in this case the RegEx is used to trim a String... According to you people would the use of the String.prototype.trim function be a valid solution for this case ? I'm no Security expert but I would definitely like to help... |
|
👍 |
|
0.9.2 has been published with this issue fixed. https://www.npmjs.com/package/slug/v/0.9.2 @cristianstaicu Can you please close this issue? |
|
Hi guys, just one quick question, is this issue really fixed? Our Nexus IQ Server is still detecting this vulnerability. Maybe it's because this issues has not been closed yet? |
Yes.
Alas, I have publishing rights on the npm module but no write privileges on this repository. So I can publish a fix (which I have) but I can't close this issue. Do make sure you are using 0.9.2. Previous versions do not have the fix. |
The following regular expression used in parsing the input string is vulnerable to ReDoS:
/^\s+|\s+$/gThe slowdown is moderately low: for 50.000 characters around 2 seconds matching time. However, I would still suggest one of the following:
If needed, I can provide an actual example showing the slowdown.
The text was updated successfully, but these errors were encountered: