Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: update validator to resolve security vulnerability #30

Merged
merged 2 commits into from Nov 24, 2022
Merged

feat: update validator to resolve security vulnerability #30

merged 2 commits into from Nov 24, 2022

Conversation

abdulrahman-khankan
Copy link
Contributor

This resolves the following security vulnerability: GHSA-qgmg-gppg-76g5

validator.js prior to 13.7.0 is vulnerable to Inefficient Regular Expression Complexity

References
https://nvd.nist.gov/vuln/detail/CVE-2021-3765
validatorjs/validator.js@496fc8b
https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9

I ran the tests locally on Node v8 / v10 / v12 / v14 / v16 / v18 and it passed in every version.

Here is a list of changes between the currently used v8 and latest v13 (13.7.0). I generated this list from the validator.js/CHANGELOG.md file by searching for isEmail, isURL, and isCreditCard (which are the validator dependencies this package uses).

isEmail

  • 13.7.0: #1718 isEmail: replace all dots in GMail length validation @DasDingGehtNicht
  • 13.7.0: #1941 isEmail: add host_blacklist option @fedeci
  • 13.6.1: #1651 fix ReDOS vulnerabilities in isHSL and isEmail @tux-tn
  • 13.5.1: #1449 isEmail: character blacklisting @rubiin
  • 13.5.1: #1435 isEmail: respect ignore_max_length option @evantahler
  • 11.0.0: Updated isEmail() to validate display names according to RFC2822 (#1004)
  • 11.0.0: Updated isEmail() to check total email length (#1007)
  • 10.5.0: Added support for IP hostnames in isEmail() (#845)
  • 10.3.0: Strict Gmail validation in isEmail() (#832)
  • 10.0.0: Reject domain parts longer than 63 octets in isFQDN(), isURL() and isEmail() (bb3e542)

isURL

  • 13.7.0: #1721 isURL: add allow_fragments and allow_query_components @cowboy-bebug
  • 13.7.0: #1748 isURL: higher priority to whitelist @deepanshu2506
  • 13.7.0: #1751 isURL: allow url with colon and no port @MatteoPierro
  • 13.7.0: #1833 isURL: allow URL with an empty user @MiguelSavignano
  • 13.6.1: #1644 isURL: Allow URLs to have only a username in the userinfo subcomponent @jbuchmann-coosto
  • 13.5.1: #1436 isURL: added require_port option @yshanli
  • 13.1.17: #1425 fix validation for userinfo part for isURL @heanzyzabala
  • 13.1.17: #1397 added validate_length option for isURL @tomgrossman
  • 10.9.0: Added an option to isURL() to reject email-like URLs (#901)
  • 10.5.0: Updated isURL() to reject protocol relative URLs unless a flag is set (#860)
  • 10.0.0: Reject domain parts longer than 63 octets in isFQDN(), isURL() and isEmail() (bb3e542)

isCreditCard

  • 13.7.0: #1715 isCreditCard: fix for Union Pay cards @shreyassai123
  • 13.1.0: Support additional cards in isCreditCard() (#1177)
  • 10.0.0: Added a new Amex prefix to isCreditCard() (#805)

@abdulrahman-khankan
Copy link
Contributor Author

@ikr @simon-scherzinger could you please review this PR & release a new version?

@ikr
Copy link
Owner

ikr commented Nov 22, 2022

Will take a look this week. Thank you!

@abdulrahman-khankan
Copy link
Contributor Author

@ikr since the last build is quite some time ago, I think it was configured with travis-ci.org and it needs to be reconfigured to build with travis-ci.com

@ikr ikr merged commit b6e053b into ikr:master Nov 24, 2022
@ikr
Copy link
Owner

ikr commented Nov 24, 2022

Published v3.0.4

@abdulrahman-khankan abdulrahman-khankan deleted the update-validatir branch November 29, 2022 13:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@abdulrahman-khankan @ikr