-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request from GHSA-cr84-xvw4-qx3c
* Test polynomial backtracking ReDoS attack string on Bash Create a unit test for a (new) ReDoS string on bash. This test should be failing in this commit. * Fix ReDoS (as seen in ReDoS test 1) for bash Update bash escaping to pessimistically escape opening curly braces, similar to Zsh escaping, to fix the ReDoS due to the complex regular expression for opening curly braces. Update tests accordingly. * Test against old ReDoS values and all shells Refactor the ReDoS test such that 1) it's tested against all (supported) shells, and 2) extensible to test against multiple potential ReDoS strings. Regarding the latter, the scope has been updated to include known ReDoS strings related to CVE-2022-36064. The `redos` value is intentionally a function as this avoids building the string unnecessarily if the file is imported but the `redos` value isn't used. * Update SECURITY.md Add latest advisory and credit its finder
- Loading branch information
1 parent
ec0b41b
commit 552e8ea
Showing
4 changed files
with
45 additions
and
15 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This comment was marked as off-topic.
Sorry, something went wrong.