Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-23382 Might apply? #45

Closed
prb112 opened this issue Jan 12, 2022 · 2 comments · Fixed by #49
Closed

CVE-2021-23382 Might apply? #45

prb112 opened this issue Jan 12, 2022 · 2 comments · Fixed by #49

Comments

@prb112
Copy link

prb112 commented Jan 12, 2022

Dear SCSS-Tokenizer Team,

In scanning my node_modules for Regular Expression Denial of Service (ReDoS) Affecting org.webjars.npm:postcss and CVE-2021-23382

I encountered scss-tokenizer with previous-map.js with the same style regular expression that is cited in the CVE commit.

postcss

    return sourceMapString.match(/\/\*\s*# sourceMappingURL=(.*)\*\//)[1].trim()

scss-tokenizer

let match = css.match(/\/\*\s*# sourceMappingURL=(.*)\s*\*\//)

It's slightly different, and maybe worth your time to double check.

I hope this helps.
@curtvict curtvict mentioned this issue Jul 12, 2022
Closed
@sushantmittal sushantmittal mentioned this issue Jul 14, 2022
Merged
@Dipenduroy
Copy link

Do we have any blockers to merge the PR? Awaiting the CVE fix

@Svetlana-github Svetlana-github mentioned this issue Jul 26, 2022
Open
@xzyfer
Copy link
Member

xzyfer commented Aug 10, 2022

Fixed in v0.4.3

@keithchong keithchong mentioned this issue Oct 24, 2022
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixed ReDoS in "loadAnnotation" function of "previous-map.js" sushantmittal/scss-tokenizer
3 participants
@xzyfer @prb112 @Dipenduroy