[GHSA-ww39-953v-wcq6] glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex

[sealonohana]

Updates

• Affected products
• Description

Comments Version 3.0.0 (and before) did not use RegEx to detect and extract the parent path from a glob string. It used do-while loop and thepath.dirname method: https://github.com/gulpjs/glob-parent/tree/bbe92930283eb87170b48f180183876508b7e6d7 https://github.com/gulpjs/glob-parent/tree/bbe92930283eb87170b48f180183876508b7e6d7/index.js

Also, the PoC of the ReDoS does not work for version 3.0.0.

[shelbyc]

Hi @sealonohana, I checked https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee46 that fixes CVE-2020-28469 and noticed that the regular expression in line 9 of index.js, which was changed in the fix commit, wasn't added until https://github.com/gulpjs/glob-parent/commit/4a80667c69355c76a572a5892b0f133c8e1f457e in version 4.0.0. What do you think about adding version 4.0.0 as the minimum affected version? Is there anything about version 3.0.1 that leads you to believe version 3.0.1 is vulnerable to CVE-2020-28469?

[sealonohana]

@shelbyc You're right. I've checked the PoC on version 3.0.1 and it did not work. 3.0.1 does not vulnerable to CVE-2020-28469

[shelbyc]

@sealonohana Since this is your first community contribution and you made a good faith effort, you'll still get credit for helping me find https://github.com/gulpjs/glob-parent/commit/4a80667c69355c76a572a5892b0f133c8e1f457e and the minimum affected version of 4.0.0. Thank you for contributing and I hope to see you in the community contributions queue again someday! 🙂

[advisory-database[bot]]

Hi @sealonohana! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!