node-libs-browser Old path-browserify is very slow on long pathnames (should I say ReDoS'able?)

Old path-browserify is very slow on long pathnames (should I say ReDoS'able?)

Open futpib opened this issue 6 years ago • 1 comments

Currently used here [email protected]:

time node -e "require('path-browserify').extname(crypto.randomBytes(2 ** 23).toString('base64'))"
real    0m5.619s

Node 11 built-in path module:

time node -e "path.extname(crypto.randomBytes(2 ** 23).toString('base64'))"
real    0m0.133s

Latest [email protected]:

time node -e "require('path-browserify').extname(crypto.randomBytes(2 ** 23).toString('base64'))"
real    0m0.137s

Currently the fact that webpack pulls [email protected] via this module forces me to install [email protected] and alias it manually in webpack.config.js like this:

	resolve: {
		alias: {
			path: 'path-browserify',
		},
	},

I hope you can update it to 1.0.0.

EDIT: Turns out there is already a PR for this #79

Dec 09 '18 00:12 futpib

Added a PR that specifically fixes this vulnerability without introducing breaking changes: https://github.com/webpack/node-libs-browser/pull/89

Feb 06 '19 17:02 goto-bus-stop

node-libs-browser node-libs-browser copied to clipboard

Old path-browserify is very slow on long pathnames (should I say ReDoS'able?)

node-libs-browser
node-libs-browser copied to clipboard