-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Astro relies on vulnerable path-to-regexp
#11956
Comments
PRs are welcome |
I just opened #11965 for this. |
Just for reassurance for anyone seeing this, this vulnerability will only impact you if you “have two parameters within a single segment, separated by something that is not a period ( As an example, a server-rendered site with the following file structure would be vulnerable due to the multiple parameters within a single segment:
That’s mostly pretty rare in Astro sites, but a malicious actor in theory could tie up your server by making requests with very long matching URL segments when using a pattern like this. Patterns like Static sites are also not really vulnerable. The worst case scenario would be a slower static build if you were using unsanitized user input as |
As far as I can see, the library is only used to generate routes, astro does not use the matching or regex generation, so this may not apply to astro at all. |
After trying to update and adjust the existing code to the latest version of path-to-regexp I opted for removing it completely, see #11981 |
Had to change the target branch, now #11983 |
FYI, the GitHub Advisory Database was updated for Latest patch table for
While the work in PRs to upgrade to To fix quickly, I'll be opening a PR to update the version required by Astro to |
I think we need to reopen that again (until I finish a correct implementation without path-to-regexp). |
Reminding you of #11985 in case that short term solution may become relevant again. |
Thanks @matiboux! 6.3.0 includes breaking changes (see the failing tests in #11985 — https://github.com/withastro/astro/actions/runs/10847513941) so it’s not quite that simple either unfortunately. |
Fixed by #12001 |
Astro Info
If this issue only occurs in one browser, which browser is a problem?
No response
Describe the Bug
npm audit
reports that astro relies on vulnerable versions ofpath-to-regexp
What's the expected result?
No reliance on vulnerable version
Link to Minimal Reproducible Example
NA
Participation
The text was updated successfully, but these errors were encountered: