search

terser / html-minifier-terser

actively maintained fork of html-minifier - minify HTML, CSS and JS code using terser - supports ES6 code
https://terser.org/html-minifier-terser
MIT License
385 stars 32 forks source link

Vulnerability : CVE-2022-37620 #182

Open borrelm opened 2 months ago

borrelm commented 2 months ago

What happened?

Hi,

IMO this fork of https://github.com/kangax/html-minifier is still vulnerable to CVE-2022-37620 as the regex in the candidate variable is still the same. References : https://nvd.nist.gov/vuln/detail/CVE-2022-37620 https://github.com/kangax/html-minifier/issues/1135

Version

All

What browsers are you seeing the problem on?

No response

Link to reproduce

No response

Relevant log output

No response

Willing to submit a PR?

None

DanielRuf commented 2 weeks ago

It seems the CVE record differs from https://security.snyk.io/vuln/SNYK-JS-HTMLMINIFIER-3091181, which contains more details.

Not sure why this is the case. I will clarify with Snyk.

The described PoC does not work with html-minifier-terser:

import { minify } from 'html-minifier-terser';
result = minify(attrName = '\t'.repeat(547703) + '.\t1x', tag = '\t'.repeat(547703) + '.\t1x'  )

image

But with valid code, the PoC works:

import { minify } from 'html-minifier-terser';
const result = minify('\t'.repeat(547703) + '.\t1x')
DanielRuf commented 2 weeks ago

It seems no one really confirmed the actual issue here. See my addition regarding the candidate variable: https://github.com/kangax/html-minifier/issues/1135#issuecomment-2453388023

Detailed analysis and recommended mitigations: https://github.com/kangax/html-minifier/issues/1135#issuecomment-2453405484