Known regex vuln

[kieransquare]

Just thought I'd inform this project that it has a known regex vuln out against it now.

https://nvd.nist.gov/vuln/detail/CVE-2022-37599

[alexander-akait]

PR welcome

[alexander-akait]

And I don't see any problems with

loader-utils/lib/interpolateName.js

Line 83 in d9f4e23

directory = resourcePath.replace(/\\/g, '/').replace(/\.\.(\/)?/g, '_$1');

And #211

[getroyer]

I'm interested in finding a way to resolve this regex vulnerability as well. If anyone knows how it should be resolved please let me know.

[jeran-urban]

I'm interested in finding a way to resolve this regex vulnerability as well. If anyone knows how it should be resolved please let me know.

The main issues around Regex DOS attacks is in badly formed queries that are not strict enough, and no exit condition involving a time limit for processing. If you ensure that the query is perfectly formed or at least add an exit condition based on a time limit (a few seconds) then this should resolve the issue. More information here: https://www.regular-expressions.info/redos.html#Handling%20Regexes%20Provided%20by%20The%20User. I will drop this information on the other threads as I believe this is still a legitimate vulnerability in v 3.x as well

[alexander-akait]

Close in favor #216