Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Add backtrack protection to 1.x release #320

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 10, 2024
Merged

Add backtrack protection to 1.x release #320

merged 1 commit into from
Sep 10, 2024
+4,250 −36

Conversation

blakeembrey
Copy link
Member

@blakeembrey blakeembrey commented Sep 10, 2024
edited
Loading

I'm confident this shouldn't break 99.9% of usages, but may impact some edge cases of users of the library. Fixes ReDoS vector on matching. Closes #318. Does not fix ReDoS if user provides a vulnerable regex themselves, so I'll update the advisory to make it clear that it's possible to create a ReDoS if you override parameters with a custom capture and that isn't covered by the fix.

@blakeembrey blakeembrey merged commit 925ac8e into 1.x Sep 10, 2024
@blakeembrey blakeembrey deleted the be/1.x-backtrack-proection branch September 10, 2024 21:21
@blakeembrey blakeembrey mentioned this pull request Sep 10, 2024
Merged
@fengmk2 fengmk2 mentioned this pull request Sep 11, 2024
Closed
fengmk2 added a commit to fengmk2/umi that referenced this pull request Sep 11, 2024
@fengmk2
fix: use path-to-regexp to fix redos
f31b495 
pillarjs/path-to-regexp#320
@fengmk2 fengmk2 mentioned this pull request Sep 11, 2024
Merged
PeachScript pushed a commit to umijs/umi that referenced this pull request Sep 11, 2024
@fengmk2
fix: use path-to-regexp to fix redos (#12695)
8c7a461 
pillarjs/path-to-regexp#320
@beaneyd-ELS
Copy link

Thank you for the fix, can you get the affected versions updated on: GHSA-9wv6-86v2-598j please? As 1.9 is detected as broken when it is between 0.2.0 and 8.0.0

@mabaasit mabaasit mentioned this pull request Sep 12, 2024
Merged
11 tasks
@oFlo193o
Copy link

oFlo193o commented Sep 16, 2024
edited
Loading

@blakeembrey is it save to update from 0.2.5 -> 1.9.0 or are there any breaking changes, as 0.2.5 is still being used by @nestjs/serve-static
nestjs/serve-static#1454

@blakeembrey
Copy link
Member Author

You use update to 1.9.0, there were no breaking changes in 1.0.0: https://github.com/pillarjs/path-to-regexp/blob/7aff887e73ee8bca5cc98ee6239616da07eb8523/History.md#100--2014-08-17

@oFlo193o oFlo193o mentioned this pull request Sep 16, 2024
Closed
1 task
@matei4adrian
Copy link

matei4adrian commented Sep 27, 2024
edited
Loading

Hi, @blakeembrey! This version is still seen as a vulnerable version by JFrog Xray (CVE-2024-45296). The next version that is not vulnerable is 8.0.0, but this update includes breaking changes that could not be solved for packages like react-router v5. Is it possible to completely remove the vulnerability for version 1.x.x and other major versions below 8.x.x? Thanks!

@michelkaporin michelkaporin mentioned this pull request Oct 2, 2024
Merged
@Elte156 Elte156 mentioned this pull request Nov 11, 2024
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@blakeembrey @beaneyd-ELS @oFlo193o @matei4adrian
Morty Proxy This is a proxified and sanitized view of the page, visit original site.