Le 25/04/2019 à 13:41, Xavier a écrit : > Control: tags -1 + moreinfo > > Le 22/04/2019 à 07:38, Xavier a écrit : >> Le 21/04/2019 à 22:33, Moritz Muehlenhoff a écrit : >>> Package: node-braces >>> Severity: important >>> Tags: security >>> >>> Please see https://snyk.io/vuln/npm:braces:20180219 >>> >>> Patch: >>> https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451 >>> >>> Cheers, >>> Moritz >> >> Buster version (2.0.2) seems not easily to patch. > > It seems that the vulnerable regexp doesn't exist in node-braces 2.0.2. > I can't find any exploit to verify this. Could someone help here ?
Hello, The regex that causes CVE-2018-1109 was introduced in upstream version 2.2.0, commit dcc1acab [1]. So Buster node-braces seems not concerned by this CVE. https://snyk.io/vuln/npm:braces:20180219 extract : > braces is a Bash-like brace expansion, implemented in JavaScript. > > Affected versions of this package are vulnerable to Regular Expression > Denial of Service (ReDoS) attacks. It used a regular expression > (^\{(,+(?:(\{,+\})*),*|,*(?:(\{,+\})*),+)\}) in order to detects empty > braces. This can cause an impact of about 10 seconds matching time for > data 50K characters long. Commit dcc1acab [1]: ...lib/parser.js + /** + * Empty braces (we capture these early to + * speed up processing in the compiler) + */ + + .set('multiplier', function() { + var pos = this.position(); + var m = this.match(/^\{(,+(?:(\{,+\})*),*|,*(?:(\{,+\})*),+)\}/); + if (!m) return; + + this.multiplier = true; + var prev = this.prev(); + var node = pos(new Node({ + type: 'text', + multiplier: 1, + match: m, + val: m[0] + })); + + return concatNodes.call(this, pos, node, prev, options); ... and the fix is [2]: ...lib/parsers.js @@ -127,7 +127,7 @@ module.exports = function(braces, options) { .set('multiplier', function() { var isInside = this.isInside('brace'); var pos = this.position(); - var m = this.match(/^\{(,+(?:(\{,+\})*),*|,*(?:(\{,+\})*),+)\}/); + var m = this.match(/^\{((?:,|\{,+\})+)\}/); if (!m) return; this.multiplier = true; No regexp in 2.0.2 contains such expression. Time to close this issue ? Cheers, Xavier [1]: https://github.com/micromatch/braces/commit/dcc1acab4de9a43e86ab4be4acde209ff1dca113 [2]: https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451
