summaryrefslogtreecommitdiff
path: root/public/views/shared/polyfill.ejs
diff options
context:
space:
mode:
authorSheogorath2019-08-07 09:38:12 +0200
committerSheogorath2019-08-15 23:14:48 +0200
commitc4053ea7ce359ec03773763fbf3fcb2be192778b (patch)
treeba00b95a3985df85a4c30357b40c9212d9c46905 /public/views/shared/polyfill.ejs
parent57cfbcbd470c794d667dc7bdb91f9bb27245db94 (diff)
Update meta-marked to latest version
Meta-marked 0.4.4 which we used from our git repository contains a RegexDOS attack in the marked dependency. The dependency was already updated in our meta-marked repository, but not updated in yarn. This made us still vulnerable to this ReDOS which was able to cause a DOS attack on the server when updating a note. For Details: https://github.com/markedjs/marked/releases/tag/v0.7.0 https://github.com/markedjs/marked/pull/1515 What is a ReDOS? A ReDOS attack is a DOS attack where an attacker targets a not-well-written Regular Expression. Regular expressions try to build a tree of all possibilities it can match in order to figure out if the given statement is valid or not. A ReDOS attack abuses this concept by providing a statement that doesn't match but causes extremly huge trees that simply lead to exhausting CPU usage. For more details see: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS Credit: Huge thanks to @bitinerant for finding this and handling it with a responsible disclosure. Also thanks to the `marked`-team for fixing things already. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Diffstat (limited to '')
0 files changed, 0 insertions, 0 deletions