Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit str to 100 to avoid ReDoS of 0.3s #89

Merged
merged 1 commit into from
May 16, 2017
Merged

Limit str to 100 to avoid ReDoS of 0.3s #89

merged 1 commit into from
May 16, 2017

Conversation

karenyavine
Copy link
Contributor

@karenyavine karenyavine commented Apr 12, 2017
edited
Loading

Hey,
The fix for CVE-2015-8315 was incomplete. Limiting the input to 10,000 chars reduced the risk significantly but it is still possible to cause a delay of 0.3s. Suggested to limit it to 100 chars as there is no reason for a date to be over that :)

PoC:

ms=require('ms');
ms('1'.repeat(9998) + 'Q')
//Takes about ~0.3s

Thanks,
Karen Yavine
Security Analyst @ snyk.io

@Delagen
Copy link

Delagen commented May 16, 2017

#90

@leo leo merged commit caae298 into vercel:master May 16, 2017
@leo
Copy link
Contributor

leo commented May 16, 2017

Sweet! Thank you. 😊

@leo leo mentioned this pull request May 16, 2017
Closed
@karenyavine
Copy link
Contributor Author

Hey @leo!
Thanks for merging the PR!
Wondered when a new version will be released to npm?

@Delagen
Copy link

Delagen commented May 16, 2017

Sad that module authors does not care about performance at all.

@leo
Copy link
Contributor

leo commented May 16, 2017

@karenyavine It was just released with version 2.0.0! 🎉

@popomore popomore mentioned this pull request May 16, 2017
Merged
@grnd
Copy link

grnd commented May 17, 2017

@leo, thanks for the fix and the release.
I was wondering why was this a breaking change, requiring a major release?

@leo
Copy link
Contributor

leo commented May 17, 2017

Because we lowered the limit. So if people have longer strings in place, it will break.

@Delagen
Copy link

Delagen commented May 17, 2017
edited
Loading

@grnd @leo I offer solution to not simply decrease limit, but to rework parsing, that boost parse speed up to 2 times, look at #90, code looks cleaner and more simple

@grnd
Copy link

grnd commented May 17, 2017

+1 on @Delagen's solution. Both the previous fix of limiting to 10000 chars, and the new one of limiting to 100 chars were merely a workaround.

@kyrylkov kyrylkov mentioned this pull request May 25, 2017
Closed
tkadlec referenced this pull request in dashersw/cote Jun 5, 2017
@dashersw
Remove snyk badge and add dependencies badge
71a3331 
Snyk notoriously reports on the ms package used by socket.io, which
actually is no vulnerability, and the author rejected snyk's fix.
It looks bad on the README, so removing snyk until they fix their attitude.
@brennoo brennoo mentioned this pull request Aug 17, 2017
Merged
sjparkinson added a commit to Financial-Times/n-health that referenced this pull request Sep 13, 2017
@sjparkinson
Update ms package to prevent regex dos.
9f0902d 
See vercel/ms#89.
@sjparkinson sjparkinson mentioned this pull request Sep 13, 2017
Merged
@yoavmmn yoavmmn mentioned this pull request Sep 25, 2017
Closed
@mkj28 mkj28 mentioned this pull request Nov 5, 2018
Closed
@snyk-bot snyk-bot mentioned this pull request Apr 8, 2020
Closed
@deveras deveras mentioned this pull request Apr 25, 2020
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this pull request Sep 8, 2020
Closed
This was referenced Sep 20, 2020
Closed
Closed
Closed
This was referenced Oct 3, 2020
Closed
Closed
This was referenced Oct 5, 2020
Open
Open
This was referenced Apr 24, 2022
Open
Closed
Closed
Open
@Robthreefold Robthreefold mentioned this pull request May 5, 2022
Closed
@dev-mend-for-jackfan.us.kg dev-mend-for-jackfan.us.kg bot mentioned this pull request May 8, 2022
Open
@github-actions github-actions bot mentioned this pull request May 11, 2022
Closed
This was referenced May 12, 2022
Open
Open
Open
Open
Open
Open
Open
Open
Open
@mend-for-jackfan.us.kg mend-for-jackfan.us.kg bot mentioned this pull request Jun 2, 2022
Open
@CMaheshBL CMaheshBL mentioned this pull request May 6, 2022
Open
JSRedondo pushed a commit to Financial-Times/n-health that referenced this pull request Jun 20, 2022
@sjparkinson
Update ms package to prevent regex dos.
e6a221b 
See vercel/ms#89.
@github-actions github-actions bot mentioned this pull request Aug 1, 2022
Open
This was referenced Mar 7, 2023
Open
Open
@mendappgms mendappgms bot mentioned this pull request Oct 23, 2023
Open
@mend-app-sh mend-app-sh bot mentioned this pull request Nov 21, 2023
Closed
@joshn-whitesource-app joshn-whitesource-app bot mentioned this pull request Feb 7, 2024
Open
@RedKnightToken RedKnightToken mentioned this pull request May 17, 2024
Open
@Shannja Shannja mentioned this pull request Aug 8, 2024
Open
@UlyssesDB UlyssesDB mentioned this pull request Aug 10, 2024
Open
@SebAllouche SebAllouche mentioned this pull request Sep 21, 2024
Open
@samueljochem samueljochem mentioned this pull request Nov 11, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@karenyavine @Delagen @leo @grnd