search

reactioncommerce / generator-reaction

Project generator for Reaction NodeJS projects. Built with Yeoman.
Other
5 stars 3 forks source link

Low Severity: Regular Expression Denial of Service (ReDoS) #29

Open mpaktiti opened 4 years ago

mpaktiti commented 4 years ago

Vulnerable module: braces Introduced through: indexr@1.1.10 Detailed Path: 

generator-reaction@0.0.0-development › 
     indexr@1.1.10 › 
          chokidar@1.7.0 › 
               anymatch@1.3.2 › 
                    micromatch@2.3.11 › 
                         braces@1.8.5

Remediation: No remediation path available.

Overview: braces is a Bash-like brace expansion, implemented in JavaScript. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. It used a regular expression (^{(,+(?:({,+})),|,(?:({,+})),+)}) in order to detects empty braces. This can cause an impact of about 10 seconds matching time for data 50K characters long.

More about this issue Snyk Report

mpaktiti commented 4 years ago

braces has to be updated to version 2.3.1 or higher

The indexr repo looks out of maintenance (last update: 3 years ago).

We can try sending a PR to update chokidar or fork indexr and update the chokidar version in our fork.