search

dataarts / dat.gui

Lightweight controller library for JavaScript.
Apache License 2.0
7.46k stars 1.08k forks source link

Regular Expression Denial of Service (ReDoS) #298

Closed tomhsiao1260 closed 2 years ago

tomhsiao1260 commented 3 years ago

Yesterday there was a new npm report on dat.gui, which states that dat.gui would result in a severity vulnerability (would get a warning message after using "npm i dat.gui" command). Can anyone explain more about this warning?

https://www.npmjs.com/advisories/1701

tomhsiao1260 commented 3 years ago

Oh, I found that someone has already sent a PR #279 (7 months ago). Hope it can be merged as soon as possible to remove this severity vulnerability warning.

jmariller commented 3 years ago

Hi,

I am still getting a high severity vulnerability with dat.gui: image

Even though version 0.7.7 is installed for my project - any ideas why? Looking into interpret.js it seems like the latest patches were not actually applied, can that be?

Many thanks

jmariller commented 3 years ago

@TomHsiao1260 could you possibly re-open this issue?

tomhsiao1260 commented 3 years ago

Seems that this project is no longer maintained by its owner. Though this issue has already fixed in this GitHub repo, the npm version (published a year ago ...) is still not updated. It is worth mentioning that Mr.doob (three.js project owner) also tried to access the dat.gui npm package 3 months ago in order to fix this vulnerability. But it seems that there is no further progress.

img

However, in my opinion, ReDos attack is harmless when developing a frontend-only projects. So if you still want to use this tool without showing the severity vulnerability, you can use them locally like what I did in this project.

jmariller commented 3 years ago

Thank you @TomHsiao1260 for the clarification and for having reopened the issue!

nyan-left commented 2 years ago

do we have any updates on this? :)

ugogon commented 2 years ago

Yes, can we at least bump the current git master to version 0.7.8 so we do not get the warning if we add "dat.gui": "git+https://github.com/dataarts/dat.gui.git", to our package.json dependencies.

tomhsiao1260 commented 2 years ago

Finally, someone tried an alternative to dat.gui 🙌

lil-gui: https://github.com/georgealways/lil-gui related issue: https://github.com/mrdoob/three.js/pull/22765

mrdoob commented 2 years ago

0.7.8 is now on npm with the fix. But yes, please migrate to lil-gui if you can 🙏