🔒 fix: CVE-2023-26115 #33
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,7 @@ | ||
| /*! | ||
| * word-wrap <https://github.com/jonschlinkert/word-wrap> | ||
| * | ||
| * Copyright (c) 2014-2023, Jon Schlinkert. | ||
| * Released under the MIT License. | ||
| */ | ||
|
|
||
|
|
@@ -36,7 +36,7 @@ module.exports = function(str, options) { | |
| }).join(newline); | ||
|
|
||
| if (options.trim === true) { | ||
| result = result.replace(/\s+$/g, ''); | ||
|
There was a problem hiding this comment. Not sure if you guys consider but, according to couple of checkers, this also a vulnerable regexp There was a problem hiding this comment. Introducing a new linter rule could be a necessary step to move forward There was a problem hiding this comment. I think we can't do this with regex There was a problem hiding this comment. I also think that the first commit was better. There was a problem hiding this comment. @aashutoshrathi @jonschlinkert Given we don't have a non-vulnerable regex solution and there's concern for older versions of Node.js, can we use this instead? There was a problem hiding this comment. @aashutoshrathi @jonschlinkert @seahindeniz How about this?
This assumes every line will start with something other than a space or tab. The There was a problem hiding this comment. @aashutoshrathi have you tried this suggestion? There was a problem hiding this comment. not yet, will do There was a problem hiding this comment. This works just as well as .trimEnd(); |
||
| } | ||
| return result; | ||
| }; | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess
/\s+$/gmworks fasterThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, let me check on that.
But ideally, I would like to not use regex for the operation that can be easily handled by native
trimEnd, right?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe or native better regex can be faster. need to bench to check that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @aashutoshrathi, sorry for the long delay, and thanks for the PR. I'll try to get this merged in ASAP.
Yes, let's use this pattern without the
mflag. Using+will also be a bit safer since it won't allow that pattern to match an empty string.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/[ \t]+$/gis slightly better than/\s+$/git would seem. Unfortunately both regexes are suspectable to redos, as opposed totrimEnd();$ time node -e 'payloadstr=""; for ( i=0; i < 100000; i++ ) payloadstr+="\t"; payloadstr+="a"; payloadstr.replace(/[ \t]+$/gm,"");'real 0m21.084s$ time node -e 'payloadstr=""; for ( i=0; i < 100000; i++ ) payloadstr+="\t"; payloadstr+="a"; payloadstr.replace(/\s+$/g,"");'real 0m8.587s$ time node -e 'payloadstr=""; for ( i=0; i < 100000; i++ ) payloadstr+="\t"; payloadstr+="a"; payloadstr.replace(/[ \t]+$/g,"");'real 0m6.169s$ time node -e 'payloadstr=""; for ( i=0; i < 100000; i++ ) payloadstr+="\t"; payloadstr+="a"; payloadstr.trimEnd();'real 0m0.082sThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jonschlinkert Any update when this PR will be merged ?