Skip to content

Fix Regular Expression Denial of Service in debug #16164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
JLHwung merged 2 commits into from
Dec 8, 2023
Merged

Fix Regular Expression Denial of Service in debug #16164

JLHwung merged 2 commits into from
Dec 8, 2023

Conversation

@martinez-hugo
Copy link
Contributor

@martinez-hugo martinez-hugo commented Dec 8, 2023

Q                       A
Fixed Issues? -
Patch: Bug Fix? -
Major: Breaking Change? -
Minor: New Feature? -
Tests Added + Pass? -
Documentation PR Link -
Any Dependency Changes? debug
License MIT

Fix Regular Expression Denial of Service in debug

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

GitHub advisory

@martinez-hugo
Fix Regular Expression Denial of Service in debug
052c0dc 
Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.
@JLHwung
Copy link
Contributor

JLHwung commented Dec 8, 2023

Can you run yarn and yarn dedupe and then check out the lock file?

@babel-bot
Copy link
Collaborator

babel-bot commented Dec 8, 2023

Build successful! You can test your changes in the REPL here: https://babeljs.io/repl/build/55984/

@martinez-hugo
Copy link
Contributor Author

martinez-hugo commented Dec 8, 2023

@JLHwung all is good and all tests passed

@JLHwung JLHwung merged commit cce807f into babel:main Dec 8, 2023
@martinez-hugo martinez-hugo deleted the patch-1 branch December 8, 2023 17:53
@github-actions github-actions bot added the outdated A closed issue/PR that is archived due to age. Recommended to make a new issue label Mar 9, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 9, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@JLHwung JLHwung JLHwung approved these changes

Assignees

No one assigned

Labels

outdated A closed issue/PR that is archived due to age. Recommended to make a new issue PR: Dependency ⬆️

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@martinez-hugo @JLHwung @babel-bot