Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

path-to-regexp@0.1.10 #5902

Merged
merged 2 commits into from
Sep 9, 2024
Merged

path-to-regexp@0.1.10 #5902

merged 2 commits into from
Sep 9, 2024
+3 −2

Conversation

blakeembrey
Copy link
Member

Use latest release.

wesleytodd
wesleytodd requested changes Sep 9, 2024
View reviewed changes
Copy link
Member

@wesleytodd wesleytodd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we just get an unreleased section on the history file?

@wesleytodd wesleytodd merged commit 125bb74 into expressjs:master Sep 9, 2024
49 checks passed
@puremana puremana mentioned this pull request Sep 9, 2024
Open
@alexporto2200
Copy link

path-to-regexp <0.1.10
Severity: high
path-to-regexp outputs backtracking regular expressions - GHSA-9wv6-86v2-598j
fix available via npm audit fix --force
Will install express@3.21.2, which is a breaking change
node_modules/path-to-regexp
express 4.0.0-rc1 - 5.0.0-alpha.6
Depends on vulnerable versions of path-to-regexp
node_modules/express

2 high severity vulnerabilities

@MilkaChucky MilkaChucky mentioned this pull request Sep 10, 2024
Merged
@shotanue shotanue mentioned this pull request Sep 11, 2024
Closed
4 tasks
@omerlh
Copy link

omerlh commented Sep 11, 2024

Looking at Snyk https://security.snyk.io/package/npm/path-to-regexp everything bellow version 8 is vulnerable... are there plans to upgrade to latest version?

@corneliusroemer
Copy link

@omerlh snyk is wrong. The original advisory is here: GHSA-9wv6-86v2-598j

hkfb pushed a commit to equinor/webviz-subsurface-components that referenced this pull request Sep 11, 2024
@semantic-release-bot
chore(release): wsc-common@0.8.1 [skip ci]
43006ca 
## [0.8.1](https://github.com/equinor/webviz-subsurface-components/compare/wsc-common@0.8.0...wsc-common@0.8.1) (2024-09-11)

### Bug Fixes

* bump body-parser and express in /typescript ([#2238](#2238)) ([0eca39e](0eca39e)), closes [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#523](expressjs/body-parser#523) [expressjs/body-parser#527](expressjs/body-parser#527) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [expressjs/body-parser#535](expressjs/body-parser#535) [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [#534](#534) [#531](#531) [#521](#521) [#523](#523) [#522](#522) [expressjs/express#5561](expressjs/express#5561) [expressjs/express#5562](expressjs/express#5562) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5564](expressjs/express#5564) [expressjs/express#5526](expressjs/express#5526) [expressjs/express#5579](expressjs/express#5579) [expressjs/express#5587](expressjs/express#5587) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5600](expressjs/express#5600) [expressjs/express#5433](expressjs/express#5433) [expressjs/express#5605](expressjs/express#5605) [expressjs/express#5569](expressjs/express#5569) [expressjs/express#5628](expressjs/express#5628) [expressjs/express#5639](expressjs/express#5639) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5619](expressjs/express#5619) [expressjs/express#5653](expressjs/express#5653) [expressjs/express#5666](expressjs/express#5666) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5672](expressjs/express#5672) [expressjs/express#5695](expressjs/express#5695) [expressjs/express#5683](expressjs/express#5683) [expressjs/express#5722](expressjs/express#5722) [expressjs/express#5762](expressjs/express#5762) [expressjs/express#5599](expressjs/express#5599) [expressjs/express#5436](expressjs/express#5436) [expressjs/express#5814](expressjs/express#5814) [expressjs/express#5836](expressjs/express#5836) [expressjs/express#5603](expressjs/express#5603) [expressjs/express#5835](expressjs/express#5835) [expressjs/express#5781](expressjs/express#5781) [expressjs/express#5902](expressjs/express#5902) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5814](expressjs/express#5814) [#5928](https://github.com/equinor/webviz-subsurface-components/issues/5928) [#5926](https://github.com/equinor/webviz-subsurface-components/issues/5926) [#5902](https://github.com/equinor/webviz-subsurface-components/issues/5902) [#5781](https://github.com/equinor/webviz-subsurface-components/issues/5781) [#5603](https://github.com/equinor/webviz-subsurface-components/issues/5603) [#5836](https://github.com/equinor/webviz-subsurface-components/issues/5836)
hkfb pushed a commit to equinor/webviz-subsurface-components that referenced this pull request Sep 11, 2024
@semantic-release-bot
chore(release): well-completions-plot@1.4.1 [skip ci]
0ffe8e8 
## [1.4.1](https://github.com/equinor/webviz-subsurface-components/compare/well-completions-plot@1.4.0...well-completions-plot@1.4.1) (2024-09-11)

### Bug Fixes

* bump body-parser and express in /typescript ([#2238](#2238)) ([0eca39e](0eca39e)), closes [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#523](expressjs/body-parser#523) [expressjs/body-parser#527](expressjs/body-parser#527) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [expressjs/body-parser#535](expressjs/body-parser#535) [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [#534](#534) [#531](#531) [#521](#521) [#523](#523) [#522](#522) [expressjs/express#5561](expressjs/express#5561) [expressjs/express#5562](expressjs/express#5562) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5564](expressjs/express#5564) [expressjs/express#5526](expressjs/express#5526) [expressjs/express#5579](expressjs/express#5579) [expressjs/express#5587](expressjs/express#5587) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5600](expressjs/express#5600) [expressjs/express#5433](expressjs/express#5433) [expressjs/express#5605](expressjs/express#5605) [expressjs/express#5569](expressjs/express#5569) [expressjs/express#5628](expressjs/express#5628) [expressjs/express#5639](expressjs/express#5639) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5619](expressjs/express#5619) [expressjs/express#5653](expressjs/express#5653) [expressjs/express#5666](expressjs/express#5666) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5672](expressjs/express#5672) [expressjs/express#5695](expressjs/express#5695) [expressjs/express#5683](expressjs/express#5683) [expressjs/express#5722](expressjs/express#5722) [expressjs/express#5762](expressjs/express#5762) [expressjs/express#5599](expressjs/express#5599) [expressjs/express#5436](expressjs/express#5436) [expressjs/express#5814](expressjs/express#5814) [expressjs/express#5836](expressjs/express#5836) [expressjs/express#5603](expressjs/express#5603) [expressjs/express#5835](expressjs/express#5835) [expressjs/express#5781](expressjs/express#5781) [expressjs/express#5902](expressjs/express#5902) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5814](expressjs/express#5814) [#5928](https://github.com/equinor/webviz-subsurface-components/issues/5928) [#5926](https://github.com/equinor/webviz-subsurface-components/issues/5926) [#5902](https://github.com/equinor/webviz-subsurface-components/issues/5902) [#5781](https://github.com/equinor/webviz-subsurface-components/issues/5781) [#5603](https://github.com/equinor/webviz-subsurface-components/issues/5603) [#5836](https://github.com/equinor/webviz-subsurface-components/issues/5836)
hkfb pushed a commit to equinor/webviz-subsurface-components that referenced this pull request Sep 11, 2024
@semantic-release-bot
chore(release): subsurface-viewer@0.30.4 [skip ci]
14e64f9 
## [0.30.4](https://github.com/equinor/webviz-subsurface-components/compare/subsurface-viewer@0.30.3...subsurface-viewer@0.30.4) (2024-09-11)

### Bug Fixes

* bump body-parser and express in /typescript ([#2238](#2238)) ([0eca39e](0eca39e)), closes [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#523](expressjs/body-parser#523) [expressjs/body-parser#527](expressjs/body-parser#527) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [expressjs/body-parser#535](expressjs/body-parser#535) [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [#534](#534) [#531](#531) [#521](#521) [#523](#523) [#522](#522) [expressjs/express#5561](expressjs/express#5561) [expressjs/express#5562](expressjs/express#5562) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5564](expressjs/express#5564) [expressjs/express#5526](expressjs/express#5526) [expressjs/express#5579](expressjs/express#5579) [expressjs/express#5587](expressjs/express#5587) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5600](expressjs/express#5600) [expressjs/express#5433](expressjs/express#5433) [expressjs/express#5605](expressjs/express#5605) [expressjs/express#5569](expressjs/express#5569) [expressjs/express#5628](expressjs/express#5628) [expressjs/express#5639](expressjs/express#5639) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5619](expressjs/express#5619) [expressjs/express#5653](expressjs/express#5653) [expressjs/express#5666](expressjs/express#5666) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5672](expressjs/express#5672) [expressjs/express#5695](expressjs/express#5695) [expressjs/express#5683](expressjs/express#5683) [expressjs/express#5722](expressjs/express#5722) [expressjs/express#5762](expressjs/express#5762) [expressjs/express#5599](expressjs/express#5599) [expressjs/express#5436](expressjs/express#5436) [expressjs/express#5814](expressjs/express#5814) [expressjs/express#5836](expressjs/express#5836) [expressjs/express#5603](expressjs/express#5603) [expressjs/express#5835](expressjs/express#5835) [expressjs/express#5781](expressjs/express#5781) [expressjs/express#5902](expressjs/express#5902) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5814](expressjs/express#5814) [#5928](https://github.com/equinor/webviz-subsurface-components/issues/5928) [#5926](https://github.com/equinor/webviz-subsurface-components/issues/5926) [#5902](https://github.com/equinor/webviz-subsurface-components/issues/5902) [#5781](https://github.com/equinor/webviz-subsurface-components/issues/5781) [#5603](https://github.com/equinor/webviz-subsurface-components/issues/5603) [#5836](https://github.com/equinor/webviz-subsurface-components/issues/5836)
hkfb pushed a commit to equinor/webviz-subsurface-components that referenced this pull request Sep 11, 2024
@semantic-release-bot
chore(release): group-tree-plot@1.3.1 [skip ci]
2f9a7d3 
## [1.3.1](https://github.com/equinor/webviz-subsurface-components/compare/group-tree-plot@1.3.0...group-tree-plot@1.3.1) (2024-09-11)

### Bug Fixes

* bump body-parser and express in /typescript ([#2238](#2238)) ([0eca39e](0eca39e)), closes [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#523](expressjs/body-parser#523) [expressjs/body-parser#527](expressjs/body-parser#527) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [expressjs/body-parser#535](expressjs/body-parser#535) [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [#534](#534) [#531](#531) [#521](#521) [#523](#523) [#522](#522) [expressjs/express#5561](expressjs/express#5561) [expressjs/express#5562](expressjs/express#5562) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5564](expressjs/express#5564) [expressjs/express#5526](expressjs/express#5526) [expressjs/express#5579](expressjs/express#5579) [expressjs/express#5587](expressjs/express#5587) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5600](expressjs/express#5600) [expressjs/express#5433](expressjs/express#5433) [expressjs/express#5605](expressjs/express#5605) [expressjs/express#5569](expressjs/express#5569) [expressjs/express#5628](expressjs/express#5628) [expressjs/express#5639](expressjs/express#5639) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5619](expressjs/express#5619) [expressjs/express#5653](expressjs/express#5653) [expressjs/express#5666](expressjs/express#5666) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5672](expressjs/express#5672) [expressjs/express#5695](expressjs/express#5695) [expressjs/express#5683](expressjs/express#5683) [expressjs/express#5722](expressjs/express#5722) [expressjs/express#5762](expressjs/express#5762) [expressjs/express#5599](expressjs/express#5599) [expressjs/express#5436](expressjs/express#5436) [expressjs/express#5814](expressjs/express#5814) [expressjs/express#5836](expressjs/express#5836) [expressjs/express#5603](expressjs/express#5603) [expressjs/express#5835](expressjs/express#5835) [expressjs/express#5781](expressjs/express#5781) [expressjs/express#5902](expressjs/express#5902) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5814](expressjs/express#5814) [#5928](https://github.com/equinor/webviz-subsurface-components/issues/5928) [#5926](https://github.com/equinor/webviz-subsurface-components/issues/5926) [#5902](https://github.com/equinor/webviz-subsurface-components/issues/5902) [#5781](https://github.com/equinor/webviz-subsurface-components/issues/5781) [#5603](https://github.com/equinor/webviz-subsurface-components/issues/5603) [#5836](https://github.com/equinor/webviz-subsurface-components/issues/5836)
hkfb pushed a commit to equinor/webviz-subsurface-components that referenced this pull request Sep 11, 2024
@semantic-release-bot
chore(release): well-log-viewer@1.13.2 [skip ci]
033afd7 
## [1.13.2](https://github.com/equinor/webviz-subsurface-components/compare/well-log-viewer@1.13.1...well-log-viewer@1.13.2) (2024-09-11)

### Bug Fixes

* bump body-parser and express in /typescript ([#2238](#2238)) ([0eca39e](0eca39e)), closes [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#523](expressjs/body-parser#523) [expressjs/body-parser#527](expressjs/body-parser#527) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [expressjs/body-parser#535](expressjs/body-parser#535) [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [#534](#534) [#531](#531) [#521](#521) [#523](#523) [#522](#522) [expressjs/express#5561](expressjs/express#5561) [expressjs/express#5562](expressjs/express#5562) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5564](expressjs/express#5564) [expressjs/express#5526](expressjs/express#5526) [expressjs/express#5579](expressjs/express#5579) [expressjs/express#5587](expressjs/express#5587) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5600](expressjs/express#5600) [expressjs/express#5433](expressjs/express#5433) [expressjs/express#5605](expressjs/express#5605) [expressjs/express#5569](expressjs/express#5569) [expressjs/express#5628](expressjs/express#5628) [expressjs/express#5639](expressjs/express#5639) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5619](expressjs/express#5619) [expressjs/express#5653](expressjs/express#5653) [expressjs/express#5666](expressjs/express#5666) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5672](expressjs/express#5672) [expressjs/express#5695](expressjs/express#5695) [expressjs/express#5683](expressjs/express#5683) [expressjs/express#5722](expressjs/express#5722) [expressjs/express#5762](expressjs/express#5762) [expressjs/express#5599](expressjs/express#5599) [expressjs/express#5436](expressjs/express#5436) [expressjs/express#5814](expressjs/express#5814) [expressjs/express#5836](expressjs/express#5836) [expressjs/express#5603](expressjs/express#5603) [expressjs/express#5835](expressjs/express#5835) [expressjs/express#5781](expressjs/express#5781) [expressjs/express#5902](expressjs/express#5902) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5814](expressjs/express#5814) [#5928](https://github.com/equinor/webviz-subsurface-components/issues/5928) [#5926](https://github.com/equinor/webviz-subsurface-components/issues/5926) [#5902](https://github.com/equinor/webviz-subsurface-components/issues/5902) [#5781](https://github.com/equinor/webviz-subsurface-components/issues/5781) [#5603](https://github.com/equinor/webviz-subsurface-components/issues/5603) [#5836](https://github.com/equinor/webviz-subsurface-components/issues/5836)
@lirantal
Copy link

@corneliusroemer the Snyk team updated the security advisory with the following note that adds context:

Note: Version 0.1.10 is patched to mitigate this but is also vulnerable if custom regular expressions are used. Due to the existence of this bypass, the Snyk security team have decided to err on the side of caution in considering the very widely-used v0 branch vulnerable, while the 8.0.0 release has completely eliminated the vulnerable functionality.

Is this helpful, or is there anything else you consider important to add?

@corneliusroemer
Copy link

corneliusroemer commented Sep 11, 2024
edited
Loading

I reported the error to them some 10 hours ago 😀 they fixed it afterwards it seems 🙈

Oh you're at snyk, great! I don't know much about this vuln, I just reported wrong snyk info to snyk :)

I missed the full comment, here it is as a quote with line breaks:

Note: Version 0.1.10 is patched to mitigate this but is also vulnerable if custom regular expressions are used. Due to the existence of this bypass, the Snyk security team have decided to err on the side of caution in considering the very widely-used v0 branch vulnerable, while the 8.0.0 release has completely eliminated the vulnerable functionality.

@ctcpip
Copy link
Member

ctcpip commented Sep 11, 2024

@lirantal path-to-regexp is not a sanitization library. Users can provide regular expressions directly, for which they are responsible for not introducing evil regular expressions. This is true when they pass only a regular expression, and it is true when they pass a regular expression as a component/sub-expression of the string. That's not a "bypass". That's the user deliberately providing a regular expression.

@blakeembrey blakeembrey deleted the be/bump-path-to-regexp branch September 11, 2024 19:26
This was referenced Sep 11, 2024
Open
Open
Open
Open
Open
Open
Open
@lirantal
Copy link

@ctcpip I don't completely disagree. There's a subtlety and nuances matter. A related analogy might be vm2 which allows code execution sandbox but failed multiple times to properly isolate it from code injection payloads. It ultimately comes down to the scope of responsibility the path-to-regexp library claims. If the library says "I just provide the functionality, you provide the regex, which could result in denial of service and it is the you (consumer) responsibility to safeguard it" then my personal opinion (not Snyk) is that I agree there's no viable CVE.

@blakeembrey Regardless, on the approach and CVE or not, it is probably a good practice to put a security disclaimer in the README if you feel there are some "gotchas" or security related insights you want to let consumers know about.

@wesleytodd
Copy link
Member

It ultimately comes down to the scope of responsibility the path-to-regexp library claims. If the library says "I just provide the functionality, you provide the regex, which could result in denial of service and it is the you (consumer) responsibility to safeguard it" then my personal opinion (not Snyk) is that I agree there's no viable CVE.

This is what we are saying. We do not consider a user writing an unsafe regular expression in their application code and passing it into express or path-to-regexp to be part of our threat model. I agree adding more warning language is a great next step.

If we do this, would Snyk be willing to change their versions to match the ones we list in the CVE?

@lirantal
Copy link

I've shared the context of the thread here with the Snyk analysts team so it's for them to triage and follow-up.

p.s. Wes, while the thread here is on expressjs/express, the actual package in question is path-to-regexp which is maintained by Blake, or are you part of that project too? asking as it would help the Snyk team to figure out how/who to include in a discussion for this if this is brought up.

@wesleytodd
Copy link
Member

wesleytodd commented Sep 16, 2024
edited by ctcpip
Loading

p.s. Wes, while the thread here is on expressjs/express, the actual package in question is path-to-regexp which is maintained by Blake, or are you part of that project too? asking as it would help the Snyk team to figure out how/who to include in a discussion for this if this is brought up.

The Express project has governance over the packages in three GH orgs: expressjs, pillarjs, & jshttp. So yes, @blakeembrey is the author, Project Captain, and primary owner of path-to-regexp, but we also have a security triage and working group as well as some level of input from the @expressjs/express-tc members when it helps or directly effects the experience which users of express would have.

I will leave it up to @blakeembrey for how we would like to proceed, but from my side I would be happy if we included at least a few folks like @ctcpip & @UlisesGascon (and myself if I would add value) who have been helping drive our security initiatives.

@lirantal
Copy link

Ok, that's excellent. I've shared the thread with the team so when/how they follow-up they get the info. Appreciate the context Wes ❤️

@wesleytodd wesleytodd mentioned this pull request Sep 17, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wesleytodd wesleytodd wesleytodd approved these changes

@UlisesGascon UlisesGascon UlisesGascon approved these changes

@jonchurch jonchurch jonchurch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@blakeembrey @alexporto2200 @omerlh @corneliusroemer @lirantal @ctcpip @wesleytodd @UlisesGascon @jonchurch