New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerable Regular Expression #4163
Comments
For clarification, this is in the Here is a railroad diagram of the regular expression. From this we can see that the grouping with repetition is related to parsing Arabic characters. It would be helpful if someone who understands both regular expressions and Arabic language could take a crack at this. An overview of ReDoS is also helpful. |
Ill take this is no one has already started |
@hamiltondanielb all yours :) |
I'd like to see a example if it's possible :) |
@drag0s sent it on your private email. |
FYI, this was added to NSP (see here), so this is probably going to start breaking people's builds soon. @hamiltondanielb - Did you get anywhere looking into this? |
Just had our build break 👯 |
It's sad that the issue had to become public before it was fixed. Issue opened on Sep 8, NSP advisory published today. @cristianstaicu perhaps you should've reminded the maintainers about the disclosure deadline to give this some momentum. |
@mattgrande there is a meta-ness to this: turns out the version of nsp we were pinned to (2.8.1) depends on moment (via joi) so it was reporting a vulnerability on its own dependency: Upgrading to nsp 3.1.0, resolved this because the dependency is no longer there - so beware of that if you don't directly depend on moment. |
Is there a fix for this yet? |
Please advise any fix available? |
No fix has been published yet. Please, if you're interested in getting updates from the maintainers, subscribe to notifications for updates to this issue by clicking the "Subscribe" in the right-hand column. |
To add an
|
Thanks @westy92 ! Saved my build. |
Hi @westy92 and @jacob-go . I have the following code. |
@Dexterslab we're using |
@cristianstaicu @mattgrande is this happening in Luxon as well? |
We'd appreciate it the fix for this can be expedited, now that it has been logged in nsp it is failing our builds. |
The javascript package moment.js had a vulnerability regarding regular expresions. moment/moment#4163 This change updates moment.js to a fixed version.
The javascript package moment.js had a vulnerability regarding regular expresions. moment/moment#4163 https://github.com/moment/moment/blob/2.21.0/CHANGELOG.md This change updates moment.js to a fixed version.
The javascript package moment.js had a vulnerability regarding regular expresions. moment/moment#4163 https://github.com/moment/moment/blob/2.21.0/CHANGELOG.md This change updates moment.js to a fixed version.
2.19.1 has regular expression denial of service (ReDoS) vulnerability. See moment/moment#4163 for details.
* Bump up version for moment from 2.19.1 to fix ReDOS vulnerability. See moment/moment#4163 * Adding package-lock.json
CVE-2017-18214 https://nodesecurity.io/advisories/532 See the upstream issue resolved by the update: moment/moment#4163
CVE-2017-18214 https://nodesecurity.io/advisories/532 See the upstream issue resolved by the update: moment/moment#4163
- corrects advisories 55 & 532 moment/moment#4163 moment/moment#4326 Update package.json and readme with this repo.
- corrects security advisories 55 & 532 moment/moment#4163 moment/moment#4326 Update package.json and readme.
- updated moment.js version in vendor folder - added r.js (require.js) - created nodejs example Minor version bump, Security fix - corrects security advisories 55 & 532 moment/moment#4163 moment/moment#4326 Update package.json and readme.
The following regular expression used to parse dates specified as strings is vulnerable to ReDoS:
/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]+|[\u0600-\u06FF\/]+(\s*?[\u0600-\u06FF]+){1,2}/i
The slowdown is moderately low: for 50.000 characters around 2 seconds matching time. However, I would still suggest one of the following:
If needed, I can provide an actual example showing the slowdown.
The text was updated successfully, but these errors were encountered: