From e8ffb837db3f3244750d00ba6d8c65fa5f099395 Mon Sep 17 00:00:00 2001 From: NxPKG <116948796+NxPKG@users.noreply.github.com> Date: Thu, 2 Nov 2023 05:24:22 +0600 Subject: [PATCH] Improve GHSA-hhq3-ff78-jv3g --- .../2022/10/GHSA-hhq3-ff78-jv3g/GHSA-hhq3-ff78-jv3g.json | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2022/10/GHSA-hhq3-ff78-jv3g/GHSA-hhq3-ff78-jv3g.json b/advisories/github-reviewed/2022/10/GHSA-hhq3-ff78-jv3g/GHSA-hhq3-ff78-jv3g.json index 4e2afd02a4c2d..35ae6d8e7a0fe 100644 --- a/advisories/github-reviewed/2022/10/GHSA-hhq3-ff78-jv3g/GHSA-hhq3-ff78-jv3g.json +++ b/advisories/github-reviewed/2022/10/GHSA-hhq3-ff78-jv3g/GHSA-hhq3-ff78-jv3g.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-hhq3-ff78-jv3g", - "modified": "2022-11-22T22:52:15Z", + "modified": "2023-09-21T22:02:26Z", "published": "2022-10-12T12:00:27Z", "aliases": [ "CVE-2022-37599" ], "summary": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)", - "details": "A regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils via the resourcePath variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or take a disproportional amount of time to process. This issue has been patched in versions 1.4.2, 2.0.4 and 3.2.1.", + "details": "The ReDoS flaw in webpack loader-utils could be exploited by an attacker to cause a denial of service attack. To mitigate this vulnerability, you should upgrade to webpack loader-utils version 1.4.2, 2.0.4, or 3.2.1 or higher.\n\nIf you are unable to upgrade to a patched version of webpack loader-utils, you can mitigate the vulnerability by implementing your own regular expression matching function. This function should be designed to be resistant to ReDoS attacks.\n\nHere are some tips for implementing a ReDoS-resistant regular expression matching function:\n\nAvoid using backtracking in your regular expressions.\nUse fixed-width character classes whenever possible.\nUse lazy quantifiers instead of greedy quantifiers.\nSet a timeout on your regular expression matching function.\nHere is an example of a ReDoS-resistant regular expression matching function in Python:\n\n```\nimport re\n\ndef match_regex(regex, string, timeout=1):\n \"\"\"Matches a regular expression against a string, with a timeout.\n\n Args:\n regex: The regular expression to match.\n string: The string to match against.\n timeout: The maximum amount of time to spend matching the regular expression.\n\n Returns:\n True if the regular expression matches the string, False otherwise.\n \"\"\"\n\n regex = re.compile(regex, re.DOTALL)\n start_time = time.time()\n match = regex.match(string)\n end_time = time.time()\n if match and (end_time - start_time) <= timeout:\n return True\n else:\n return False\n```\n\nYou can use this function to match regular expressions against strings in your application, and it will help to protect you from ReDoS attacks.\n\nIn addition to mitigating the ReDoS vulnerability in webpack loader-utils, you should also take steps to protect your application from other types of denial of service attacks. This includes implementing rate limiting and other measures to prevent attackers from flooding your application with requests.", "severity": [ { "type": "CVSS_V3", @@ -113,7 +113,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-400" + "CWE-400", + "CWE-79" ], "severity": "HIGH", "github_reviewed": true,