-
Notifications
You must be signed in to change notification settings - Fork 798
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependency path-to-regexp to v1.9.0 [SECURITY] - autoclosed #39330
Conversation
Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.
Interested in more tips and information?
|
@arthur791004 @dsas I don't think this package.json file is even used in the monorepo, it's just there for the sync script to know what version is currently synced, is that right? Do you need to sync a new version with this fixed? Would it work to extract just the version number and write that to a file instead of copying in the whole |
Just to caveat my answers: I'm rather inexperienced with this
I think you're right 👍
One doesn't exist yet, but I guess it should do.
That sounds like a good idea to me 👍 |
74c37d2
to
b10afe3
Compare
The package.json in there is unused except for the version number field. Save the version number to a version.txt file instead to avoid confusing Renovate (cf. #39330).
Created #39471 to do that. |
The package.json in there is unused except for the version number field. Save the version number to a version.txt file instead to avoid confusing Renovate (cf. #39330).
This PR contains the following updates:
1.7.0
->1.9.0
path-to-regexp outputs backtracking regular expressions
CVE-2024-45296 / GHSA-9wv6-86v2-598j
More information
Details
Impact
A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (
.
). For example,/:a-:b
.Patches
For users of 0.1, upgrade to
0.1.10
. All other users should upgrade to8.0.0
.These versions add backtrack protection when a custom regex pattern is not provided:
They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.
Version 7.1.0 can enable
strict: true
and get an error when the regular expression might be bad.Version 8.0.0 removes the features that can cause a ReDoS.
Workarounds
All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change
/:a-:b
to/:a-:b([^-/]+)
.If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.
Details
Using
/:a-:b
will produce the regular expression/^\/([^\/]+?)-([^\/]+?)\/?$/
. This can be exploited by a path such as/a${'-a'.repeat(8_000)}/a
. OWASP has a good example of why this occurs, but the TL;DR is the/a
at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the:a-:b
on the repeated 8,000-a
.Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.
References
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
pillarjs/path-to-regexp (path-to-regexp)
v1.9.0
: Fix backtracking in 1.xCompare Source
Fixed
925ac8e
re.exec(&#​39;/test/route&#​39;)
result (#267)32a14b0
v1.8.0
: Backport token to function optionsCompare Source
Added
TokensToFunctionOptions
Configuration
📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.