Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency path-to-regexp to v1.9.0 [SECURITY] #39330

Open
wants to merge 1 commit into
base: trunk
Choose a base branch
from
Open

Update dependency path-to-regexp to v1.9.0 [SECURITY] #39330

wants to merge 1 commit into from
+5 −1

Conversation

matticbot
Copy link
Contributor

@matticbot matticbot commented Sep 10, 2024
edited
Loading

This PR contains the following updates:

Package Type Update Change
path-to-regexp overrides minor 1.7.0 -> 1.9.0

path-to-regexp outputs backtracking regular expressions

CVE-2024-45296 / GHSA-9wv6-86v2-598j

More information

Details

Impact

A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b.

Patches

For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

These versions add backtrack protection when a custom regex pattern is not provided:

They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.

Version 7.1.0 can enable strict: true and get an error when the regular expression might be bad.

Version 8.0.0 removes the features that can cause a ReDoS.

Workarounds

All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b to /:a-:b([^-/]+).

If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.

Details

Using /:a-:b will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/. This can be exploited by a path such as /a${'-a'.repeat(8_000)}/a. OWASP has a good example of why this occurs, but the TL;DR is the /a at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the :a-:b on the repeated 8,000 -a.

Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.

References

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

pillarjs/path-to-regexp (path-to-regexp)

v1.9.0: Fix backtracking in 1.x

Compare Source

Fixed

v1.8.0: Backport token to function options

Compare Source

Added

  • Backport TokensToFunctionOptions

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@matticbot matticbot added [Status] Needs Review To request a review from Crew. Label will be renamed soon. [Type] Janitorial labels Sep 10, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 10, 2024
edited
Loading

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

  • To test on WoA, go to the Plugins menu on a WordPress.com Simple site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin, and enable the renovate/npm-path-to-regexp-vulnerability branch.

    • For jetpack-mu-wpcom changes, also add define( 'JETPACK_MU_WPCOM_LOAD_VIA_BETA_PLUGIN', true ); to your wp-config.php file.

  • To test on Simple, run the following command on your sandbox:

    bin/jetpack-downloader test jetpack-mu-wpcom-plugin renovate/npm-path-to-regexp-vulnerability

Interested in more tips and information?

  • In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
  • Read more about our development workflow here: PCYsg-eg0-p2
  • Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

@anomiex
Copy link
Contributor

anomiex commented Sep 10, 2024

@arthur791004 @dsas I don't think this package.json file is even used in the monorepo, it's just there for the sync script to know what version is currently synced, is that right? Do you need to sync a new version with this fixed? Would it work to extract just the version number and write that to a file instead of copying in the whole package.json?

@dsas
Copy link
Contributor

dsas commented Sep 10, 2024

Just to caveat my answers: I'm rather inexperienced with this

I don't think this package.json file is even used in the monorepo, it's just there for the sync script to know what version is currently synced, is that right?

I think you're right 👍

Do you need to sync a new version with this fixed?

One doesn't exist yet, but I guess it should do.

Would it work to extract just the version number and write that to a file instead of copying in the whole package.json?

That sounds like a good idea to me 👍

@matticbot matticbot force-pushed the renovate/npm-path-to-regexp-vulnerability branch from 74c37d2 to b10afe3 Compare September 12, 2024 06:11
@matticbot matticbot changed the title Update dependency path-to-regexp to v8 [SECURITY] Update dependency path-to-regexp to v1.9.0 [SECURITY] Sep 12, 2024
anomiex added a commit that referenced this pull request Sep 19, 2024
@anomiex
mu-wpcom: For Newspack blocks sync, save only version
ba62d22 
The package.json in there is unused except for the version number field.
Save the version number to a version.txt file instead to avoid confusing
Renovate (cf. #39330).
@anomiex anomiex mentioned this pull request Sep 19, 2024
Open
3 tasks
@anomiex
Copy link
Contributor

anomiex commented Sep 19, 2024

Would it work to extract just the version number and write that to a file instead of copying in the whole package.json?

That sounds like a good idea to me 👍

Created #39471 to do that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
[mu wpcom Feature] Newspack Blocks [Package] Jetpack mu wpcom WordPress.com Features [Status] Needs Review To request a review from Crew. Label will be renamed soon. [Type] Janitorial
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@matticbot @anomiex @dsas @renovate-bot