Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updating tough-cookie due to security fix. #1985

Merged
merged 2 commits into from Sep 25, 2017
Merged

Updating tough-cookie due to security fix. #1985

merged 2 commits into from Sep 25, 2017

Conversation

karlnorling
Copy link
Contributor

This addresses:

The tough-cookie module is vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds.

Unless node was compiled using the -DHTTPMAXHEADER_SIZE= option the default header max length is 80kb so the impact of the ReDoS is limited to around 7.3 seconds of blocking.

At the time of writing all version <=2.3.2 are vulnerable

crc442
crc442 approved these changes Sep 22, 2017
View reviewed changes
Copy link

@crc442 crc442 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

@kartikm
Copy link

kartikm commented Sep 22, 2017

When will be this included in the release?

@Sebmaster
Copy link
Member

When will be this included in the release?

There is no action necessary from our side. Just run npm update.

@karlnorling
Copy link
Contributor Author

karlnorling commented Sep 22, 2017
edited

@Sebmaster can you clarify?
I'm running npm update on project that has jsDom: 11.2.0 as a dependency and I'm getting tough-cookie: 2.3.2

@Sebmaster
Copy link
Member

Sebmaster commented Sep 22, 2017
edited

I'm running npm update on project that has jsDom: 11.2.0 as a dependency and I'm getting tough-cookie: 2.3.2

Ugh, yeah. I can repro that.

If you remove the jsdom version increase from the PR I can merge this.

@karlnorling
Copy link
Contributor Author

@Sebmaster pushed!

domenic
domenic requested changes Sep 24, 2017
View reviewed changes
package-lock.json Outdated Show resolved Hide resolved
@domenic
Copy link
Member

domenic commented Sep 25, 2017

And now the package-lock.json is not updated, so nobody will actually see this update... I'll just do the update myself.

@domenic domenic closed this Sep 25, 2017
@domenic
Copy link
Member

domenic commented Sep 25, 2017

Oh, I see, tough-cookie was already updated in package-lock.json. So this was not a necessary pull request after all. Still, might as well.

@domenic domenic reopened this Sep 25, 2017
@domenic domenic merged commit 4c3c919 into jsdom:master Sep 25, 2017
@karlnorling karlnorling deleted the tough-cookie-sec-update branch September 26, 2017 18:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@avindra avindra avindra approved these changes

@domenic domenic domenic approved these changes

@crc442 crc442 crc442 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@karlnorling @kartikm @Sebmaster @domenic @avindra @crc442