Link label security #1515
Merged
Link label security #1515
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
UziTech
added
category: links
L0 - security
|
If this PR is merged I will create a new issue about the single backtick so we can still track it. |
|
This is a temporary fix. Links will need to be parsed with a function to be fully spec compliant to allow the single backtick along with nested brackets like we are parsing the href. |
styfle
reviewed
Jul 2, 2019
| @@ -1,3 +1,3 @@ | |||
| [the `]` character](/url) | |||
|
|
|||
| [the ` character](/url) | |||
| [the \` character](/url) | |||
There was a problem hiding this comment.
So this PR is going to introduce a regression but fix a redos issue?
styfle
approved these changes
Jul 2, 2019
SISheogorath
added a commit
to hedgedoc/hedgedoc
that referenced
this pull request
Aug 15, 2019
Meta-marked 0.4.4 which we used from our git repository contains a RegexDOS attack in the marked dependency. The dependency was already updated in our meta-marked repository, but not updated in yarn. This made us still vulnerable to this ReDOS which was able to cause a DOS attack on the server when updating a note. For Details: https://github.com/markedjs/marked/releases/tag/v0.7.0 markedjs/marked#1515 What is a ReDOS? A ReDOS attack is a DOS attack where an attacker targets a not-well-written Regular Expression. Regular expressions try to build a tree of all possibilities it can match in order to figure out if the given statement is valid or not. A ReDOS attack abuses this concept by providing a statement that doesn't match but causes extremly huge trees that simply lead to exhausting CPU usage. For more details see: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS Credit: Huge thanks to @bitinerant for finding this and handling it with a responsible disclosure. Also thanks to the `marked`-team for fixing things already. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This was referenced Aug 30, 2019
SISheogorath
added a commit
to SISheogorath/codimd-server
that referenced
this pull request
Sep 5, 2019
Meta-marked 0.4.4 which we used from our git repository contains a RegexDOS attack in the marked dependency. The dependency was already updated in our meta-marked repository, but not updated in yarn. This made us still vulnerable to this ReDOS which was able to cause a DOS attack on the server when updating a note. For Details: https://github.com/markedjs/marked/releases/tag/v0.7.0 markedjs/marked#1515 What is a ReDOS? A ReDOS attack is a DOS attack where an attacker targets a not-well-written Regular Expression. Regular expressions try to build a tree of all possibilities it can match in order to figure out if the given statement is valid or not. A ReDOS attack abuses this concept by providing a statement that doesn't match but causes extremly huge trees that simply lead to exhausting CPU usage. For more details see: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS Credit: Huge thanks to @bitinerant for finding this and handling it with a responsible disclosure. Also thanks to the `marked`-team for fixing things already. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This was referenced Sep 12, 2019
This was referenced Sep 24, 2019
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Marked version: master
Description
Fixes the ReDOS vulnerability in #1493
This does break a current test with a single backtick in a link label
That markdown can be fixed by escaping the backtick
Fixes #1493
Contributor
Committer
In most cases, this should be a different person than the contributor.