diff options
author | Sheogorath | 2019-08-07 09:38:12 +0200 |
---|---|---|
committer | Sheogorath | 2019-08-15 23:14:48 +0200 |
commit | c4053ea7ce359ec03773763fbf3fcb2be192778b (patch) | |
tree | ba00b95a3985df85a4c30357b40c9212d9c46905 /package.json | |
parent | 57cfbcbd470c794d667dc7bdb91f9bb27245db94 (diff) |
Update meta-marked to latest version
Meta-marked 0.4.4 which we used from our git repository contains a
RegexDOS attack in the marked dependency. The dependency was already
updated in our meta-marked repository, but not updated in yarn.
This made us still vulnerable to this ReDOS which was able to cause a
DOS attack on the server when updating a note.
For Details:
https://github.com/markedjs/marked/releases/tag/v0.7.0
https://github.com/markedjs/marked/pull/1515
What is a ReDOS?
A ReDOS attack is a DOS attack where an attacker targets a
not-well-written Regular Expression. Regular expressions try to build a
tree of all possibilities it can match in order to figure out if the
given statement is valid or not. A ReDOS attack abuses this concept by
providing a statement that doesn't match but causes extremly huge trees
that simply lead to exhausting CPU usage.
For more details see: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
Credit:
Huge thanks to @bitinerant for finding this and handling it with a
responsible disclosure.
Also thanks to the `marked`-team for fixing things already.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Diffstat (limited to '')
-rw-r--r-- | package.json | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/package.json b/package.json index b495ed94..2649d5af 100644 --- a/package.json +++ b/package.json @@ -82,7 +82,7 @@ "mathjax": "~2.7.0", "mattermost": "^3.4.0", "mermaid": "~8.2.3", - "meta-marked": "git+https://github.com/codimd/meta-marked#semver:^0.4.2", + "meta-marked": "git+https://github.com/codimd/meta-marked#semver:^0.4.5", "method-override": "^2.3.7", "minimist": "^1.2.0", "minio": "^6.0.0", @@ -193,8 +193,8 @@ "mocha": "^5.2.0", "mock-require": "^3.0.3", "optimize-css-assets-webpack-plugin": "^5.0.0", - "sequelize-cli": "^5.4.0", "script-loader": "^0.7.2", + "sequelize-cli": "^5.4.0", "string-loader": "^0.0.1", "style-loader": "^0.21.0", "uglifyjs-webpack-plugin": "^1.2.7", |