Open vvscode opened 5 years ago
just got the same report 😿
it seems to be already fixed on master? 🎉
would it be possible to release a new version 🤗 pretty please 🤗
@3rd-Eden is this on your radar by chance?
friendly reminder 🤗
as temporary solution I've added
app.use((req, res, next) => {
req.headers['user-agent'] = `${req.headers['user-agent']}`.substr(0, 150);
next();
});
@3rd-Eden ping
Friendly bump @3rd-Eden. We'd really appreciate a release, if that would fix the issue.
@3rd-Eden do you have an update on the fix? (https://twitter.com/vvscode/status/1158378665555746821)
as temporary solution I've added
app.use((req, res, next) => { req.headers['user-agent'] = `${req.headers['user-agent']}`.substr(0, 150); next(); });
Is this the only alternative / workaround for now? Has anyone considered either 1. releasing the fix separately or 2. using an alternative library?
Side:
An attempt to fix the vulnerability has been pushed to master.
Is @3rd-Eden the only contributor who can release a fixed version? @davidkwan95 and @ChALkeR I see you both have contributed to the repository in 2019.
Thanks a lot in advance for future replies! :)
Can someone fork this and apply this patch ?
We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/
We will submit a pull request directly to your repository with the fix as soon as possible. Want to learn more? Go to https://github.com/418sec/huntr 📚
Automatically generated by @huntr-helper...
Hi team, its more than a year since no update for the fix, can someone suggest an alternative for this module?
I continue using it, just added a patch with https://github.com/ds300/patch-package
The uap-core library of regexes that this is built on continue to be updated: https://github.com/ua-parser/uap-core/issues/495 This project is already set up to download the latest regexes, nothing more we can do here.
Alternatives:
Regular Expression Denial of Service (ReDoS) Vulnerable module: useragent Introduced through: useragent@2.3.0 Detailed paths Introduced through: useragent@2.3.0 Overview useragent allows you to parse user agent string with high accuracy by using hand tuned dedicated regular expressions for browser matching.
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when passing long user-agent strings.
This is due to incomplete fix for this vulnerability: https://snyk.io/vuln/SNYK-JS-USERAGENT-11000.
An attempt to fix the vulnerability has been pushed to master.
https://snyk.io/vuln/SNYK-JS-USERAGENT-11000