Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

apply backtrack protection to version 6.x because of @koa/router #323

Closed
rlsf opened this issue Sep 11, 2024 · 8 comments · Fixed by #324
Closed

apply backtrack protection to version 6.x because of @koa/router #323

rlsf opened this issue Sep 11, 2024 · 8 comments · Fixed by #324

Comments

@rlsf
Copy link

rlsf commented Sep 11, 2024

koajs/router#186

@mass8326
Copy link

withastro/astro#11956

@paulo9mv
Copy link

Also msw: mswjs/msw#2277

@blakeembrey
Copy link
Member

I've applied a patch here: https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0. I think someone will need to update the public advisory. There's a possibility this breaks expectations in some edge cases, but typical route usage should see minimal changes (excepting the first param now appearing greedy, e.g. /:foo.:bar against /x.y.z changes from x and y.z to x.y and z).

@mschfh
Copy link

mschfh commented Sep 12, 2024

I think someone will need to update the public advisory.

@blakeembrey Thanks for the fix, the advisory should be editable for repo admins:
https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory

@samchungy
Copy link

I submitted a ticket to address the snyk one.

@blakeembrey
Copy link
Member

blakeembrey commented Sep 12, 2024

@mschfh I believe I already follow that workflow, but it only patches the one in the repo and not the global one.

This one I've updated in the repo: GHSA-9wv6-86v2-598j

This is the global one: GHSA-9wv6-86v2-598j

I was under the impression they synced up somehow.

Edit: Thanks for opening github/advisory-database#4791 (comment).

@markmssd
Copy link

markmssd commented Sep 17, 2024

Interesting, Snyk did update their page (https://security.snyk.io/vuln/SNYK-JS-PATHTOREGEXP-7925106), but the issue is still present for <8.0.0, with a note stating:

Note: Versions 0.1.10, 1.9.0, 3.3.0, and 6.3.0 are patched to mitigate this but are still vulnerable if custom regular expressions are used. Due to the existence of this attack vector, the Snyk security team have decided to err on the side of caution in considering prior versions vulnerable, while the 8.0.0 release has completely eliminated the vulnerable functionality.

Can something be done to fully fix the issue on those previous versions? 🤞🏼

Edit: Okay Snyk got updated too now: https://security.snyk.io/vuln/SNYK-JS-PATHTOREGEXP-7925106 🎉

How to fix?
Upgrade path-to-regexp to version 0.1.10, 1.9.0, 3.3.0, 6.3.0, 8.0.0 or higher.

@blakeembrey
Copy link
Member

Can something be done to fully fix the issue on those previous versions?

It's not really possible, it is true that as long as anyone can specify a regular expression it may be vulnerable if you wrote a bad regular expression. It might be possible to write an regex parser to use a safe subset but that isn't something I have time for right now, and won't implement for older versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants