-
-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security vulnerability in the latest version #51
Comments
Hi @6en6ar, thanks for bringing a security vulnerability to my attention. While I understand your initial request to discuss it privately, I encourage you to share the specifics openly within the issue. If you have any specific reasons for wanting to discuss privately, please let me know. In order to address it effectively, it would be really helpful if you could provide more details directly in the GitHub issue. This way, we can have a clear understanding of the issue and work towards finding a solution together. |
Hey. Thank You for responding. The regex "^\S+(@)\S+(:).*$" on line 396. in lib.rs that searches for the file or ssh scheme inside an url is vulnerable to a Regex denial of service attack when a malicious input is provided to the nomalize_url function. Continuous searching for @ and : when a large input is provided causes the function to hang and the error out. The payload I used was: |
* chore: Remove `regex` crate And update deps, bump crate version * chore: Reduce required dependencies - Move `tracing` to feature flag - Replace `color-eyre` with `thiserror` * chore: Update MSRV badge * chore: Update README badges * chore: Update changelog Git history was missing tags, so changelog was missing them too Set the next version back to next in 0.4.x series * test: Add test for #51
Hey Tj Telan,
Is there a way for You to contact me regarding a security vulnerability I discovered, so I can report it to You privately, or if You can give me your contact.
Thank You
The text was updated successfully, but these errors were encountered: