Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport CVE-2024-4067 fix from 4.0.6 over 4.0.7 #266

Merged
merged 7 commits into from
Aug 23, 2024

Conversation

hauserkristof
Copy link
Contributor

@hauserkristof hauserkristof commented Aug 22, 2024

  • Version 4.0.6 breaks compatibility with 4.0.5 and previous versions
  • Version 4.0.7 does not breaks the compatibility but does not have the fix

More info at #264

This PR maintains the compability with 4.0.5 and prior versions but backports the CVE fix.

Hello, and thanks for contributing to micromatch!

tldr

There are three main goals in this document, depending on the nature of your pr:

  • description: please tell us about your pr
  • checklist: please review the checklist that is most closly related to your pr

The following sections provide more detail on each.

Improve this document

Please don't hesitate to ask questions for clarification, or to make suggestions (or a pull request) to improve this document.

Description

To help the project's maintainers and community to quickly understand the nature of your pull request, please create a description that incorporates the following elements:

  • what is accomplished by the pr
  • if there is something potentially controversial in your pr, please take a moment to tell us about your choices

Checklist

Please use the checklist that is most closely related to your pr (you only need to use one checklist, and you can skip items that aren't applicable or don't make sense):

Fixing typos

  • Please review the readme advice section before submitting changes

Documentation

  • Please review the readme advice section before submitting changes

Bug Fix

  • All existing unit tests are still passing (if applicable)
  • Add new passing unit tests to cover the code introduced by your pr
  • Update the readme (see readme advice)
  • Update or add any necessary API documentation

New Feature

  • If this is a big feature with breaking changes, consider opening an issue to discuss first. This is completely up to you, but please keep in mind that your pr might not be accepted.
  • Run unit tests to ensure all existing tests are still passing
  • Add new passing unit tests to cover the code introduced by your pr
  • Update the readme (see readme advice)

Thanks for contributing!

Readme advice

Please review this section if you are updating readme documentation.

Readme template

This project uses verb for documentation. Verb generates the project's readme documentation from the .verb.md template in the root of this project.

Make all documentation changes in .verb.md, and please do not edit the readme.md directly, or your changes might accidentally get overwritten.

Code comments

Please add code comments (following the same style as existing comments) to describe any code changes or new code introduced by your pull request.

Optionally build the readme

Any changes made .verb.md and/or code comments will be automatically incorporated into the README documentation the next time verb is run.

We can take care of building the documentation for you when we merge in your changes, or feel free to run verb yourself. Whatever you prefer is fine with us.

- 4.0.6 breaks API compatibility
index.js Outdated Show resolved Hide resolved
@paulmillr
Copy link
Contributor

tests are failing

@graingert-coef
Copy link

graingert-coef commented Aug 22, 2024

this is because macos-latest is now macos-14 which only supports arm (M1) cpus, and only node 16+, you'll need to either use macos-13 or macos-12 for the 10, 12 and 14 node versions or use architecture: 'x64'
. See actions/setup-node#1017 (comment)

@ppvg ppvg mentioned this pull request Aug 22, 2024
@hauserkristof
Copy link
Contributor Author

Yeah, the issue with the test was the mentioned

this is because macos-latest is now macos-14 which only supports arm (M1) cpus, and only node 16+, you'll need to either use macos-13 or macos-12 for the 10, 12 and 14 node versions or use architecture: 'x64'
. See actions/setup-node#1017 (comment)

issue. I have modified the pipeline to properly run the tests on MacOs with Node version 10, 12 and 14

@graingert-coef
Copy link

@hauserkristof might be worth updating the changelog, with entries for the incorrect/breaking 4.0.6 and the insecure 4.0.7 and the secure+compatible 4.0.8?

@hauserkristof
Copy link
Contributor Author

I have extended the changelog.

CHANGELOG.md Outdated Show resolved Hide resolved
@hauserkristof hauserkristof changed the title Backport CVE-2024-4067 & 4068 fix from 4.0.6 over 4.0.7 Backport CVE-2024-4067 fix from 4.0.6 over 4.0.7 Aug 22, 2024
CHANGELOG.md Outdated Show resolved Hide resolved
CHANGELOG.md Outdated Show resolved Hide resolved
CHANGELOG.md Show resolved Hide resolved
CHANGELOG.md Outdated Show resolved Hide resolved
@Chathula

This comment was marked as spam.

Julian added a commit to bowtie-json-schema/bowtie that referenced this pull request Aug 23, 2024
It will be fixed by micromatch/micromatch#266 followed by a release, and
is depended on by the estree stuff it looks like (so we don't use it in
the real site).
@doowb
Copy link
Member

doowb commented Aug 23, 2024

@hauserkristof thanks for this PR.

One nitpick... the code changes are not following the eslint rules, even though it looks like the code was copied from the changes in master. Specifically the quotes (should be single ' vs double ").

I have my editor configured to run eslint fix when saving, so I can quickly fix this, but I just wanted to point it out in case you wanted to do another commit before this is merged.

@hauserkristof
Copy link
Contributor Author

Hey @doowb ,
Yeah i noticed it, I had to you "save without formatting", because the other parts was did not formatted, I did not wanted to result too many changes to the original.

But I may change these.

It would be nice to know the agenda for the release before it.

@doowb
Copy link
Member

doowb commented Aug 23, 2024

No problem. I'll make the change (only the new changes are formatting when I save). Thanks.

@doowb doowb merged commit 03aa805 into micromatch:v4 Aug 23, 2024
15 checks passed
AmritSidhu added a commit to govuk-one-login/ipv-core-front that referenced this pull request Sep 10, 2024
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to micromatch/micromatch#266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy