dancefinder/dancefinder-app
5
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Activity

Build(deps): [security] bump moment from 2.29.3 to 2.29.4 #458

Merged
argoyle merged 1 commits from dependabot-npm_and_yarn-moment-2.29.4 into master 2022-07-07 05:27:07 +00:00
Conversation 0 Commits 1 Files Changed 2
+5 -5
argoyle commented 2022-07-07 04:38:30 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

Bumps moment from 2.29.3 to 2.29.4. This update includes a security fix.

Vulnerabilities fixed

Inefficient Regular Expression Complexity in moment

Impact

  • using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs
  • noticeable slowdown is observed with inputs above 10k characters
  • users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks

Patches

The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.

Workarounds

In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.

References

There is an excellent writeup of the issue here: moment/moment#6015

Details

The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. moment("(".repeat(500000)) will take a few minutes to process, which is unacceptable.

Patched versions: 2.29.4 Affected versions: >= 2.18.0, < 2.29.4

Changelog

Sourced from moment's changelog.

2.29.4

  • Release Jul 6, 2022
    • #6015 [bugfix] Fix ReDoS in preprocessRFC2822 regex
Commits

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts
Bumps [moment](https://github.com/moment/moment) from 2.29.3 to 2.29.4. **This update includes a security fix.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>Inefficient Regular Expression Complexity in moment</strong></p> <h3>Impact</h3> <ul> <li>using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs</li> <li>noticeable slowdown is observed with inputs above 10k characters</li> <li>users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks</li> </ul> <h3>Patches</h3> <p>The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.</p> <h3>Workarounds</h3> <p>In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.</p> <h3>References</h3> <p>There is an excellent writeup of the issue here: <a href="https://github.com/moment/moment/pull/6015#issuecomment-1152961973=">moment/moment#6015</a></p> <h3>Details</h3> <p>The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. <code>moment(&quot;(&quot;.repeat(500000))</code> will take a few minutes to process, which is unacceptable.</p> <p>Patched versions: 2.29.4 Affected versions: &gt;= 2.18.0, &lt; 2.29.4</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/moment/moment/blob/develop/CHANGELOG.md">moment's changelog</a>.</em></p> <blockquote> <h3>2.29.4</h3> <ul> <li>Release Jul 6, 2022 <ul> <li><a href="https://github.com/moment/moment/pull/6015">#6015</a> [bugfix] Fix ReDoS in preprocessRFC2822 regex</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/moment/moment/commit/000ac1800e620f770f4eb31b5ae908f6167b0ab2"><code>000ac18</code></a> Build 2.24.4</li> <li><a href="https://github.com/moment/moment/commit/f2006b647939466f4f403721b8c7816d844c038c"><code>f2006b6</code></a> Bump version to 2.24.4</li> <li><a href="https://github.com/moment/moment/commit/536ad0c348f2f99009755698f491080757a48221"><code>536ad0c</code></a> Update changelog for 2.29.4</li> <li><a href="https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3"><code>9a3b589</code></a> [bugfix] Fix redos in preprocessRFC2822 regex (<a href="https://github.com/moment/moment/issues/6015">#6015</a>)</li> <li><a href="https://github.com/moment/moment/commit/6374fd860aeff75e6c9d9d11540c6b22bc7ef175"><code>6374fd8</code></a> Merge branch 'master' into develop</li> <li><a href="https://github.com/moment/moment/commit/b4e615307ee350b58ac9899e3587ce43972b0753"><code>b4e6153</code></a> Revert &quot;[bugfix] Fix redos in preprocessRFC2822 regex (<a href="https://github.com/moment/moment/issues/6015">#6015</a>)&quot;</li> <li><a href="https://github.com/moment/moment/commit/7aebb1617fc9bced87ab6bc4c317644019b23ce7"><code>7aebb16</code></a> [bugfix] Fix redos in preprocessRFC2822 regex (<a href="https://github.com/moment/moment/issues/6015">#6015</a>)</li> <li>See full diff in <a href="https://github.com/moment/moment/compare/2.29.3...2.29.4">compare view</a></li> </ul> </details> <br /> --- <details> <summary>Dependabot commands</summary> <br /> You can trigger Dependabot actions by commenting on this MR - `$dependabot rebase` will rebase this MR - `$dependabot recreate` will recreate this MR rewriting all the manual changes and resolving conflicts </details>
argoyle (Migrated from gitlab.com) merged commit into master 2022-07-07 05:27:07 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
dependencies
Pull requests that update a dependency file
 docker
javascript
security
Pull requests that address a security vulnerability
 severity:critical
severity:high
severity:low
severity:moderate
No Label dependencies javascript security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) releaser (Unbound Releaser) renovate (Renovate Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dancefinder/dancefinder-app#458
Delete Branch "dependabot-npm_and_yarn-moment-2.29.4"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?