You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
yargs-parser@20.2.7 appears vulnerable to regular expression denial-of-service (ReDoS) when unknown-options-as-args is set to true and an attacker can invoke the parser with arguments of the form ----....----a. See proof-of-concept below:
See the output of above graphed below, with a power regression overlaid:
This appears to be caused by the regexps at yargs-parser.ts lines 977-985. The maximum number of characters in an argument passed by process invocation is quite large, so I recommend fixing this by swapping the regular expressions with these safe replacements.
regexp
replacement
^-+([^=]+?)=[\s\S]*$
^-+([^=-]+?)=[\s\S]*$
^-+([^=]+?)$
^-+([^=-]+?)$
^-+([^=]+?)-$
^-+([^=-]+?)-$
^-+([^=]+?\d+)$
^-+([^=\d-]+?\d+)$
^-+([^=]+?)\W+.*$
^-+([^=\W-]+?)\W+[^\W+]*$
The text was updated successfully, but these errors were encountered:
yargs-parser@20.2.7
appears vulnerable to regular expression denial-of-service (ReDoS) whenunknown-options-as-args
is set totrue
and an attacker can invoke the parser with arguments of the form----....----a
. See proof-of-concept below:See the output of above graphed below, with a power regression overlaid:
This appears to be caused by the regexps at
yargs-parser.ts
lines 977-985. The maximum number of characters in an argument passed by process invocation is quite large, so I recommend fixing this by swapping the regular expressions with these safe replacements.^-+([^=]+?)=[\s\S]*$
^-+([^=-]+?)=[\s\S]*$
^-+([^=]+?)$
^-+([^=-]+?)$
^-+([^=]+?)-$
^-+([^=-]+?)-$
^-+([^=]+?\d+)$
^-+([^=\d-]+?\d+)$
^-+([^=]+?)\W+.*$
^-+([^=\W-]+?)\W+[^\W+]*$
The text was updated successfully, but these errors were encountered: