solid-design-system / solid

Monorepo for Union Investment's Solid Design System.
https://solid-design-system.fe.union-investment.de/x.x.x/storybook/
Other
20 stars 4 forks source link

fix: 🤔 regex [theming] depending on external inputs #726

Open karlbaumhauer opened 9 months ago

karlbaumhauer commented 9 months ago

Current behavior

See code scanning alert: https://github.com/solid-design-system/solid/security/code-scanning/1

Expected behavior

Prevent "DoS" attack potential.

DoR

DoD

christophsaile commented 9 months ago

Some regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length n is proportional to nk or even 2n. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service ("DoS") attack by crafting an expensive input string for the regular expression to match.

@karlbaumhauer Since this function is only executed on the client, this could only lead to a DoS of yourself right ?:D

karlbaumhauer commented 9 months ago

as discussed in our call => de-prioritzed as it only can be executed on the client and we see currently no scenario where it could have any effect on the server/cdn.

@mariohamann do you agree on that?

mariohamann commented 9 months ago

Absolutely. If someone wants to break the own client... go for it. 😆

mariohamann commented 3 weeks ago

Can we just close this completely as not planned? I wouldn't invest any time and budget on that @yoezlem.