Alternative Fix for CVE-2024-4067: ReDos in Micromatch #253
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@MarioTeixeiraCx please verify if you believe this fixes the vulnerability. |
|
does what I proposed, thanks |
|
all tests are failing. fix them first |
|
just checked this out locally and I'm getting the same output as the test failures in the latest master brach commit 6b3526f |
|
fixed in a different way in braces |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Edited the regex so the pattern still looks for text enclosed within curly braces anywhere in the string, but does not match imbalanced braces. If the current regex attempts to match a string with many open braces {{{{{{{{... and the string doesn't contain a closing brace } it eventually leads to denial of service.
tldr
There are three main goals in this document, depending on the nature of your pr:
The following sections provide more detail on each.
Improve this document
Please don't hesitate to ask questions for clarification, or to make suggestions (or a pull request) to improve this document.
Description
To help the project's maintainers and community to quickly understand the nature of your pull request, please create a description that incorporates the following elements:
Checklist
Please use the checklist that is most closely related to your pr (you only need to use one checklist, and you can skip items that aren't applicable or don't make sense):
Fixing typos
Documentation
Bug Fix
These checklist items do not apply to this fix.
New Feature
Thanks for contributing!
Readme advice
Please review this section if you are updating readme documentation.
Readme template
This project uses verb for documentation. Verb generates the project's readme documentation from the .verb.md template in the root of this project.
Make all documentation changes in
.verb.md, and please do not edit the readme.md directly, or your changes might accidentally get overwritten.Code comments
Please add code comments (following the same style as existing comments) to describe any code changes or new code introduced by your pull request.
Optionally build the readme
Any changes made
.verb.mdand/or code comments will be automatically incorporated into the README documentation the next timeverbis run.We can take care of building the documentation for you when we merge in your changes, or feel free to run verb yourself. Whatever you prefer is fine with us.