Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Take a look #12

Open
wilbertcr opened this issue Apr 1, 2016 · 2 comments
Open

Take a look #12

wilbertcr opened this issue Apr 1, 2016 · 2 comments

Comments

@wilbertcr
Copy link

[https://srcclr.com/bleach/javascript/npm/c-12769/vulnerabilities]

@markstos
Copy link

markstos commented Jul 29, 2016

The link says there is a low-risk denial of service issue with this module related to regular expressions. A more specific link is here:

https://srcclr.com/security/regular-expression-denial-service-redos-/javascript/sid-1862/technical

Version 0.3.0, the current version, is listed as being vulnerable.

The problematic line pointed to is this one:
https://github.com/ecto/bleach/blob/master/lib/bleach.js#L73

A related reference is here:
https://nodesecurity.io/advisories/47

More about RegEx-based DOS: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS

@wusala01
Copy link

A potential workaround could be this, couldn't it?

Iam not very experienced with Regex-based DOS, but might this help?

      html = html.replace(/<script(?:.*?)>(?:.|[\r\n])*?<\/script(?:.*)>/gmi, '');

vs.

      html = html.replace(/<script(.*?)>(.*?[\r\n])*?(.*?)(.*?[\r\n])*?<\/script>/gim, '');

Quantified group with a quantifier in it thingy is gone.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants