-
-
Notifications
You must be signed in to change notification settings - Fork 389
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
apply backtrack protection to version 6.x because of @koa/router #323
Comments
Also msw: mswjs/msw#2277 |
I've applied a patch here: https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0. I think someone will need to update the public advisory. There's a possibility this breaks expectations in some edge cases, but typical route usage should see minimal changes (excepting the first param now appearing greedy, e.g. |
@blakeembrey Thanks for the fix, the advisory should be editable for repo admins: |
I submitted a ticket to address the snyk one. |
@mschfh I believe I already follow that workflow, but it only patches the one in the repo and not the global one. This one I've updated in the repo: GHSA-9wv6-86v2-598j This is the global one: GHSA-9wv6-86v2-598j I was under the impression they synced up somehow. Edit: Thanks for opening github/advisory-database#4791 (comment). |
Interesting, Snyk did update their page (https://security.snyk.io/vuln/SNYK-JS-PATHTOREGEXP-7925106), but the issue is still present for <8.0.0, with a note stating:
Can something be done to fully fix the issue on those previous versions? 🤞🏼 Edit: Okay Snyk got updated too now: https://security.snyk.io/vuln/SNYK-JS-PATHTOREGEXP-7925106 🎉
|
It's not really possible, it is true that as long as anyone can specify a regular expression it may be vulnerable if you wrote a bad regular expression. It might be possible to write an regex parser to use a safe subset but that isn't something I have time for right now, and won't implement for older versions. |
koajs/router#186
The text was updated successfully, but these errors were encountered: