Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Regular Expression Denial of Service (ReDoS) #458

Merged
merged 1 commit into from
May 17, 2017

Conversation

hubdotcom
Copy link
Contributor

@coveralls
Copy link

coveralls commented May 16, 2017

Coverage Status

Coverage remained the same at 63.804% when pulling d49a69f on hubdotcom:patch-1 into 4a6c85c on visionmedia:master.

@designfrontier
Copy link

would love to see this landed :-) I am a way upstream consumer and this is the one open vulnerability I've got at the moment.

@TooTallNate TooTallNate merged commit 15850cb into debug-js:master May 17, 2017
@thebigredgeek
Copy link
Contributor

live on https://github.com/visionmedia/debug/releases/tag/2.6.7
@dougwilson

@hubdotcom hubdotcom deleted the patch-1 branch May 17, 2017 09:49
@dotchev
Copy link

dotchev commented May 31, 2017

We also see this issue in our projects. We depend on debug via a bunch of other packages. It will take some time until all of them are updated.
But I wonder if this issue affects debug at al.
Looking quickly in the code, it seems ms is called only with a number, not with a string. So this ReDoS issue should not be relevant, right?

    var ms = curr - (prevTime || curr);
    self.diff = ms;

https://github.com/visionmedia/debug/blob/master/src/debug.js#L73

exports.humanize = require('ms');

https://github.com/visionmedia/debug/blob/master/src/debug.js#L14

    args.push('\u001b[3' + c + 'm+' + exports.humanize(this.diff) + '\u001b[0m');

https://github.com/visionmedia/debug/blob/master/src/node.js#L115

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

6 participants