Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

path-to-regexp@0.1.10 #5902

Merged
merged 2 commits into from
Sep 9, 2024

Conversation

blakeembrey
Copy link
Member

Use latest release.

Copy link
Member

@wesleytodd wesleytodd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we just get an unreleased section on the history file?

@wesleytodd wesleytodd merged commit 125bb74 into expressjs:master Sep 9, 2024
49 checks passed
@alexporto2200
Copy link

path-to-regexp <0.1.10
Severity: high
path-to-regexp outputs backtracking regular expressions - GHSA-9wv6-86v2-598j
fix available via npm audit fix --force
Will install express@3.21.2, which is a breaking change
node_modules/path-to-regexp
express 4.0.0-rc1 - 5.0.0-alpha.6
Depends on vulnerable versions of path-to-regexp
node_modules/express

2 high severity vulnerabilities

@omerlh
Copy link

omerlh commented Sep 11, 2024

Looking at Snyk https://security.snyk.io/package/npm/path-to-regexp everything bellow version 8 is vulnerable... are there plans to upgrade to latest version?

@corneliusroemer
Copy link

@omerlh snyk is wrong. The original advisory is here: GHSA-9wv6-86v2-598j

hkfb pushed a commit to equinor/webviz-subsurface-components that referenced this pull request Sep 11, 2024
## [0.8.1](https://github.com/equinor/webviz-subsurface-components/compare/wsc-common@0.8.0...wsc-common@0.8.1) (2024-09-11)

### Bug Fixes

* bump body-parser and express in /typescript ([#2238](#2238)) ([0eca39e](0eca39e)), closes [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#523](expressjs/body-parser#523) [expressjs/body-parser#527](expressjs/body-parser#527) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [expressjs/body-parser#535](expressjs/body-parser#535) [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [#534](#534) [#531](#531) [#521](#521) [#523](#523) [#522](#522) [expressjs/express#5561](expressjs/express#5561) [expressjs/express#5562](expressjs/express#5562) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5564](expressjs/express#5564) [expressjs/express#5526](expressjs/express#5526) [expressjs/express#5579](expressjs/express#5579) [expressjs/express#5587](expressjs/express#5587) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5600](expressjs/express#5600) [expressjs/express#5433](expressjs/express#5433) [expressjs/express#5605](expressjs/express#5605) [expressjs/express#5569](expressjs/express#5569) [expressjs/express#5628](expressjs/express#5628) [expressjs/express#5639](expressjs/express#5639) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5619](expressjs/express#5619) [expressjs/express#5653](expressjs/express#5653) [expressjs/express#5666](expressjs/express#5666) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5672](expressjs/express#5672) [expressjs/express#5695](expressjs/express#5695) [expressjs/express#5683](expressjs/express#5683) [expressjs/express#5722](expressjs/express#5722) [expressjs/express#5762](expressjs/express#5762) [expressjs/express#5599](expressjs/express#5599) [expressjs/express#5436](expressjs/express#5436) [expressjs/express#5814](expressjs/express#5814) [expressjs/express#5836](expressjs/express#5836) [expressjs/express#5603](expressjs/express#5603) [expressjs/express#5835](expressjs/express#5835) [expressjs/express#5781](expressjs/express#5781) [expressjs/express#5902](expressjs/express#5902) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5814](expressjs/express#5814) [#5928](https://github.com/equinor/webviz-subsurface-components/issues/5928) [#5926](https://github.com/equinor/webviz-subsurface-components/issues/5926) [#5902](https://github.com/equinor/webviz-subsurface-components/issues/5902) [#5781](https://github.com/equinor/webviz-subsurface-components/issues/5781) [#5603](https://github.com/equinor/webviz-subsurface-components/issues/5603) [#5836](https://github.com/equinor/webviz-subsurface-components/issues/5836)
hkfb pushed a commit to equinor/webviz-subsurface-components that referenced this pull request Sep 11, 2024
## [1.4.1](https://github.com/equinor/webviz-subsurface-components/compare/well-completions-plot@1.4.0...well-completions-plot@1.4.1) (2024-09-11)

### Bug Fixes

* bump body-parser and express in /typescript ([#2238](#2238)) ([0eca39e](0eca39e)), closes [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#523](expressjs/body-parser#523) [expressjs/body-parser#527](expressjs/body-parser#527) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [expressjs/body-parser#535](expressjs/body-parser#535) [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [#534](#534) [#531](#531) [#521](#521) [#523](#523) [#522](#522) [expressjs/express#5561](expressjs/express#5561) [expressjs/express#5562](expressjs/express#5562) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5564](expressjs/express#5564) [expressjs/express#5526](expressjs/express#5526) [expressjs/express#5579](expressjs/express#5579) [expressjs/express#5587](expressjs/express#5587) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5600](expressjs/express#5600) [expressjs/express#5433](expressjs/express#5433) [expressjs/express#5605](expressjs/express#5605) [expressjs/express#5569](expressjs/express#5569) [expressjs/express#5628](expressjs/express#5628) [expressjs/express#5639](expressjs/express#5639) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5619](expressjs/express#5619) [expressjs/express#5653](expressjs/express#5653) [expressjs/express#5666](expressjs/express#5666) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5672](expressjs/express#5672) [expressjs/express#5695](expressjs/express#5695) [expressjs/express#5683](expressjs/express#5683) [expressjs/express#5722](expressjs/express#5722) [expressjs/express#5762](expressjs/express#5762) [expressjs/express#5599](expressjs/express#5599) [expressjs/express#5436](expressjs/express#5436) [expressjs/express#5814](expressjs/express#5814) [expressjs/express#5836](expressjs/express#5836) [expressjs/express#5603](expressjs/express#5603) [expressjs/express#5835](expressjs/express#5835) [expressjs/express#5781](expressjs/express#5781) [expressjs/express#5902](expressjs/express#5902) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5814](expressjs/express#5814) [#5928](https://github.com/equinor/webviz-subsurface-components/issues/5928) [#5926](https://github.com/equinor/webviz-subsurface-components/issues/5926) [#5902](https://github.com/equinor/webviz-subsurface-components/issues/5902) [#5781](https://github.com/equinor/webviz-subsurface-components/issues/5781) [#5603](https://github.com/equinor/webviz-subsurface-components/issues/5603) [#5836](https://github.com/equinor/webviz-subsurface-components/issues/5836)
hkfb pushed a commit to equinor/webviz-subsurface-components that referenced this pull request Sep 11, 2024
## [0.30.4](https://github.com/equinor/webviz-subsurface-components/compare/subsurface-viewer@0.30.3...subsurface-viewer@0.30.4) (2024-09-11)

### Bug Fixes

* bump body-parser and express in /typescript ([#2238](#2238)) ([0eca39e](0eca39e)), closes [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#523](expressjs/body-parser#523) [expressjs/body-parser#527](expressjs/body-parser#527) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [expressjs/body-parser#535](expressjs/body-parser#535) [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [#534](#534) [#531](#531) [#521](#521) [#523](#523) [#522](#522) [expressjs/express#5561](expressjs/express#5561) [expressjs/express#5562](expressjs/express#5562) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5564](expressjs/express#5564) [expressjs/express#5526](expressjs/express#5526) [expressjs/express#5579](expressjs/express#5579) [expressjs/express#5587](expressjs/express#5587) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5600](expressjs/express#5600) [expressjs/express#5433](expressjs/express#5433) [expressjs/express#5605](expressjs/express#5605) [expressjs/express#5569](expressjs/express#5569) [expressjs/express#5628](expressjs/express#5628) [expressjs/express#5639](expressjs/express#5639) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5619](expressjs/express#5619) [expressjs/express#5653](expressjs/express#5653) [expressjs/express#5666](expressjs/express#5666) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5672](expressjs/express#5672) [expressjs/express#5695](expressjs/express#5695) [expressjs/express#5683](expressjs/express#5683) [expressjs/express#5722](expressjs/express#5722) [expressjs/express#5762](expressjs/express#5762) [expressjs/express#5599](expressjs/express#5599) [expressjs/express#5436](expressjs/express#5436) [expressjs/express#5814](expressjs/express#5814) [expressjs/express#5836](expressjs/express#5836) [expressjs/express#5603](expressjs/express#5603) [expressjs/express#5835](expressjs/express#5835) [expressjs/express#5781](expressjs/express#5781) [expressjs/express#5902](expressjs/express#5902) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5814](expressjs/express#5814) [#5928](https://github.com/equinor/webviz-subsurface-components/issues/5928) [#5926](https://github.com/equinor/webviz-subsurface-components/issues/5926) [#5902](https://github.com/equinor/webviz-subsurface-components/issues/5902) [#5781](https://github.com/equinor/webviz-subsurface-components/issues/5781) [#5603](https://github.com/equinor/webviz-subsurface-components/issues/5603) [#5836](https://github.com/equinor/webviz-subsurface-components/issues/5836)
hkfb pushed a commit to equinor/webviz-subsurface-components that referenced this pull request Sep 11, 2024
## [1.3.1](https://github.com/equinor/webviz-subsurface-components/compare/group-tree-plot@1.3.0...group-tree-plot@1.3.1) (2024-09-11)

### Bug Fixes

* bump body-parser and express in /typescript ([#2238](#2238)) ([0eca39e](0eca39e)), closes [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#523](expressjs/body-parser#523) [expressjs/body-parser#527](expressjs/body-parser#527) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [expressjs/body-parser#535](expressjs/body-parser#535) [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [#534](#534) [#531](#531) [#521](#521) [#523](#523) [#522](#522) [expressjs/express#5561](expressjs/express#5561) [expressjs/express#5562](expressjs/express#5562) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5564](expressjs/express#5564) [expressjs/express#5526](expressjs/express#5526) [expressjs/express#5579](expressjs/express#5579) [expressjs/express#5587](expressjs/express#5587) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5600](expressjs/express#5600) [expressjs/express#5433](expressjs/express#5433) [expressjs/express#5605](expressjs/express#5605) [expressjs/express#5569](expressjs/express#5569) [expressjs/express#5628](expressjs/express#5628) [expressjs/express#5639](expressjs/express#5639) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5619](expressjs/express#5619) [expressjs/express#5653](expressjs/express#5653) [expressjs/express#5666](expressjs/express#5666) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5672](expressjs/express#5672) [expressjs/express#5695](expressjs/express#5695) [expressjs/express#5683](expressjs/express#5683) [expressjs/express#5722](expressjs/express#5722) [expressjs/express#5762](expressjs/express#5762) [expressjs/express#5599](expressjs/express#5599) [expressjs/express#5436](expressjs/express#5436) [expressjs/express#5814](expressjs/express#5814) [expressjs/express#5836](expressjs/express#5836) [expressjs/express#5603](expressjs/express#5603) [expressjs/express#5835](expressjs/express#5835) [expressjs/express#5781](expressjs/express#5781) [expressjs/express#5902](expressjs/express#5902) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5814](expressjs/express#5814) [#5928](https://github.com/equinor/webviz-subsurface-components/issues/5928) [#5926](https://github.com/equinor/webviz-subsurface-components/issues/5926) [#5902](https://github.com/equinor/webviz-subsurface-components/issues/5902) [#5781](https://github.com/equinor/webviz-subsurface-components/issues/5781) [#5603](https://github.com/equinor/webviz-subsurface-components/issues/5603) [#5836](https://github.com/equinor/webviz-subsurface-components/issues/5836)
hkfb pushed a commit to equinor/webviz-subsurface-components that referenced this pull request Sep 11, 2024
## [1.13.2](https://github.com/equinor/webviz-subsurface-components/compare/well-log-viewer@1.13.1...well-log-viewer@1.13.2) (2024-09-11)

### Bug Fixes

* bump body-parser and express in /typescript ([#2238](#2238)) ([0eca39e](0eca39e)), closes [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#523](expressjs/body-parser#523) [expressjs/body-parser#527](expressjs/body-parser#527) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [expressjs/body-parser#535](expressjs/body-parser#535) [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [#534](#534) [#531](#531) [#521](#521) [#523](#523) [#522](#522) [expressjs/express#5561](expressjs/express#5561) [expressjs/express#5562](expressjs/express#5562) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5564](expressjs/express#5564) [expressjs/express#5526](expressjs/express#5526) [expressjs/express#5579](expressjs/express#5579) [expressjs/express#5587](expressjs/express#5587) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5600](expressjs/express#5600) [expressjs/express#5433](expressjs/express#5433) [expressjs/express#5605](expressjs/express#5605) [expressjs/express#5569](expressjs/express#5569) [expressjs/express#5628](expressjs/express#5628) [expressjs/express#5639](expressjs/express#5639) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5619](expressjs/express#5619) [expressjs/express#5653](expressjs/express#5653) [expressjs/express#5666](expressjs/express#5666) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5672](expressjs/express#5672) [expressjs/express#5695](expressjs/express#5695) [expressjs/express#5683](expressjs/express#5683) [expressjs/express#5722](expressjs/express#5722) [expressjs/express#5762](expressjs/express#5762) [expressjs/express#5599](expressjs/express#5599) [expressjs/express#5436](expressjs/express#5436) [expressjs/express#5814](expressjs/express#5814) [expressjs/express#5836](expressjs/express#5836) [expressjs/express#5603](expressjs/express#5603) [expressjs/express#5835](expressjs/express#5835) [expressjs/express#5781](expressjs/express#5781) [expressjs/express#5902](expressjs/express#5902) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5814](expressjs/express#5814) [#5928](https://github.com/equinor/webviz-subsurface-components/issues/5928) [#5926](https://github.com/equinor/webviz-subsurface-components/issues/5926) [#5902](https://github.com/equinor/webviz-subsurface-components/issues/5902) [#5781](https://github.com/equinor/webviz-subsurface-components/issues/5781) [#5603](https://github.com/equinor/webviz-subsurface-components/issues/5603) [#5836](https://github.com/equinor/webviz-subsurface-components/issues/5836)
@lirantal
Copy link

@corneliusroemer the Snyk team updated the security advisory with the following note that adds context:

Note: Version 0.1.10 is patched to mitigate this but is also vulnerable if custom regular expressions are used. Due to the existence of this bypass, the Snyk security team have decided to err on the side of caution in considering the very widely-used v0 branch vulnerable, while the 8.0.0 release has completely eliminated the vulnerable functionality.

Is this helpful, or is there anything else you consider important to add?

@corneliusroemer
Copy link

corneliusroemer commented Sep 11, 2024

I reported the error to them some 10 hours ago 😀 they fixed it afterwards it seems 🙈

Oh you're at snyk, great! I don't know much about this vuln, I just reported wrong snyk info to snyk :)

I missed the full comment, here it is as a quote with line breaks:

Note: Version 0.1.10 is patched to mitigate this but is also vulnerable if custom regular expressions are used. Due to the existence of this bypass, the Snyk security team have decided to err on the side of caution in considering the very widely-used v0 branch vulnerable, while the 8.0.0 release has completely eliminated the vulnerable functionality.

@ctcpip
Copy link
Member

ctcpip commented Sep 11, 2024

@lirantal path-to-regexp is not a sanitization library. Users can provide regular expressions directly, for which they are responsible for not introducing evil regular expressions. This is true when they pass only a regular expression, and it is true when they pass a regular expression as a component/sub-expression of the string. That's not a "bypass". That's the user deliberately providing a regular expression.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants