loader-utils icon indicating copy to clipboard operation
loader-utils copied to clipboard

Published 20 hours ago verified publisher icon webpack

Known regex vuln

Open kieransquare opened this issue 2 years ago • 2 comments

Just thought I'd inform this project that it has a known regex vuln out against it now.

https://nvd.nist.gov/vuln/detail/CVE-2022-37599

kieransquare avatar Oct 13 '22 15:10 kieransquare

PR welcome

alexander-akait avatar Oct 13 '22 16:10 alexander-akait

And I don't see any problems with https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L83

And https://github.com/webpack/loader-utils/issues/211

alexander-akait avatar Oct 13 '22 16:10 alexander-akait

I'm interested in finding a way to resolve this regex vulnerability as well. If anyone knows how it should be resolved please let me know.

getroyer avatar Oct 21 '22 19:10 getroyer

I'm interested in finding a way to resolve this regex vulnerability as well. If anyone knows how it should be resolved please let me know.

The main issues around Regex DOS attacks is in badly formed queries that are not strict enough, and no exit condition involving a time limit for processing. If you ensure that the query is perfectly formed or at least add an exit condition based on a time limit (a few seconds) then this should resolve the issue. More information here: https://www.regular-expressions.info/redos.html#Handling%20Regexes%20Provided%20by%20The%20User. I will drop this information on the other threads as I believe this is still a legitimate vulnerability in v 3.x as well

jeran-urban avatar Nov 03 '22 14:11 jeran-urban

Close in favor https://github.com/webpack/loader-utils/issues/216

alexander-akait avatar Nov 10 '22 22:11 alexander-akait