Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OSS Issue #28

Closed
ibrahimmus opened this issue Oct 14, 2022 · 3 comments
Closed

OSS Issue #28

ibrahimmus opened this issue Oct 14, 2022 · 3 comments
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@ibrahimmus
Copy link

When scanned for vulnerabilities through OSS this is the following output:

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in validate-color v2.1.0 when handling crafted invalid rgb(a) strings.

https://ossindex.sonatype.org/component/pkg:npm/validate-color
@dreamyguy
Copy link
Owner

Thank you for the heads up, @ibrahimmus. I wasn't familiar with this exploit. Looking for ReDOS, I found this explanation, which was quite nice.

My theory is that opening for an undefined number of spaces within the regex could trigger this. I'll do some experimentation and perhaps limit their number, so the regex gets stricter.

@dreamyguy dreamyguy added enhancement New feature or request help wanted Extra attention is needed labels Jan 29, 2023
@dreamyguy
Copy link
Owner

This was fixed by this commit. 🎉

@kl-ma
Copy link

kl-ma commented Dec 5, 2023

@dreamyguy This is still being reported as a Snyk vulnerability in the latest versions of this package that include the mentioned fix: https://security.snyk.io/vuln/SNYK-JS-VALIDATECOLOR-2935878
Does this have to be readdressed on Snyk's side or in this package, possibly?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dreamyguy @ibrahimmus @kl-ma