Closed renovate[bot] closed 1 month ago
renovate[bot]
commented
1 month ago Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.
You can manually request rebase by checking the rebase/retry box above.
⚠️ Warning: custom changes will be lost.
Janpot
commented
1 month ago @apedroferreira Will this upgrade have an effect on navigation item patterns? Is that feature sufficiently covered by tests for *, + and ??
apedroferreira
commented
1 month ago @apedroferreira Will this upgrade have an effect on navigation item patterns? Is that feature sufficiently covered by tests for
*,+and??
Oh I didn't expect that kind of breaking changes, need to cover them in tests then. Also there seems to be some incompatibility between v8 and the browser testing libraries we use, still have to figure that out...
Janpot
commented
1 month ago @apedroferreira Since this will be blocked for a while, how do you feel about bringing those new tests on master, that way we can let renovatebot take over again in rebasing this PR
apedroferreira
commented
1 month ago @apedroferreira Since this will be blocked for a while, how do you feel about bringing those new tests on master, that way we can let renovatebot take over again in rebasing this PR
I had just commented the same in the other PR :D
renovate[bot]
commented
1 month ago This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.
apedroferreira
commented
1 month ago Moved over the test changes to https://github.com/mui/toolpad/pull/4104 so we can reset the modifications in this PR.
Janpot
commented
1 month ago Closing this one for now
This PR contains the following updates:
7.1.0->8.0.06.2.2->8.0.0GitHub Vulnerability Alerts
CVE-2024-45296
Impact
A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (
.). For example,/:a-:b.Patches
For users of 0.1, upgrade to
0.1.10. All other users should upgrade to8.0.0.These versions add backtrack protection when a custom regex pattern is not provided:
They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for this library and not considered a vulnerability.
Version 7.1.0 can enable
strict: trueand get an error when the regular expression might be bad.Version 8.0.0 removes the features that can cause a ReDoS.
Workarounds
All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change
/:a-:bto/:a-:b([^-/]+).If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.
Details
Using
/:a-:bwill produce the regular expression/^\/([^\/]+?)-([^\/]+?)\/?$/. This can be exploited by a path such as/a${'-a'.repeat(8_000)}/a. OWASP has a good example of why this occurs, but the TL;DR is the/aat the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the:a-:bon the repeated 8,000-a.Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.
References
Release Notes
pillarjs/path-to-regexp (path-to-regexp)
### [`v8.0.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0): Simpler API [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v7.2.0...v8.0.0) Heads up! This is a fairly large change (again) and I need to apologize in advance. If I foresaw what this version would have ended up being I would not have released version 7. A longer blog post and explanation will be incoming this week, but the pivot has been due to work on Express.js v5 and this will the finalized syntax used in Express moving forward. **Added** - Adds key names to wildcards using `*name` syntax, aligns with `:` behavior but using an asterisk instead **Changed** - Removes group suffixes of `?`, `+`, and `*` - only optional exists moving forward (use wildcards for `+`, `{*foo}` for `*`) - Parameter names follow JS identifier rules and allow unicode characters **Added** - Parameter names can now be quoted, e.g. `:"foo-bar"` **Removed** - Removes `loose` mode - Removes regular expression overrides of parameters ### [`v7.2.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v7.2.0): Support array inputs (again) [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v7.1.0...v7.2.0) **Added** - Support array inputs for `match` and `pathToRegexp` [`3fdd88f`](https://redirect.github.com/pillarjs/path-to-regexp/commit/3fdd88f)Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.
Closes https://github.com/mui/toolpad/issues/4125