search

postmanlabs / newman

Newman is a command-line collection runner for Postman
https://www.postman.com
Apache License 2.0
6.83k stars 1.16k forks source link

Please address vulnerabilities to Regular Expression Denial of Service #3125

Closed animesh-net closed 12 months ago

animesh-net commented 1 year ago

The latest version of this package (newman@5.3.2) has the following vulnerable dependencies:

  1. semver@7.3.5 - This is vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. The non-vulnerable versions of this package are non-compatible with the latest version of newman.
  2. word-wrap@1.2.3 - All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.

References :

  1. CVE-2023-26115
  2. CVE-2022-25883
  3. https://github.com/npm/node-semver/pull/564
  4. https://vuldb.com/?id.232060
  5. https://github.com/jonschlinkert/word-wrap/blob/master/index.js#L39
  6. https://github.com/snowflakedb/snowflake-connector-nodejs/issues/454
tillig commented 1 year ago

Looks like Dependabot tried to submit a PR to upgrade semver.

animesh-net commented 1 year ago

Yeah, that takes care of the semver package. The following PR takes care of the word-wrap package https://github.com/jonschlinkert/word-wrap/pull/33. But going through the conversation it seems like the author of word-wrap package is not maintaining the repo anymore. So we need an alternative package to be used with newman.

jls47 commented 1 year ago

Has wordwrapjs been considered? I've created a pull request in the package that updates it to support the same functionality and nomenclature as word-wrap. wordwrapjs seems to consider trailing whitespace as part of the line width and will push it to the next line in some situations but that's just about the only difference in use that I've found via testing. Would this still be acceptable as an alternative?

https://github.com/75lb/wordwrapjs https://github.com/75lb/wordwrapjs/pull/10

The whitespace diff in question: https://abload.de/img/diffspene.png

lg250137 commented 1 year ago

Yeah, that takes care of the semver package. The following PR takes care of the word-wrap package jonschlinkert/word-wrap#33. But going through the conversation it seems like the author of word-wrap package is not maintaining the repo anymore. So we need an alternative package to be used with newman.

The word-wrap PR has been merged.

codenirvana commented 12 months ago

This is fixed in Newman v6.