Skip to content

Commit

Permalink
Fix unsafe regexp
Browse files Browse the repository at this point in the history
  • Loading branch information
@ai
ai committed Apr 8, 2021
1 parent 6f608a1 commit 8682b1e
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion lib/previous-map.js
View file
Expand Up @@ -54,7 +54,7 @@ class PreviousMap {
}

loadAnnotation(css) {
let annotations = css.match(/\/\*\s*# sourceMappingURL=.*\s*\*\//gm)
let annotations = css.match(/\/\*\s*# sourceMappingURL=.*\*\//gm)

if (annotations && annotations.length > 0) {
// Locate the last sourceMappingURL to avoid picking up
Expand Down

12 comments on commit 8682b1e

@ai
Copy link
Member Author

@ai ai commented on 8682b1e Apr 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

7.x support is over on Jan 1, 2020.

The issue is not so critical (it affects only online tools like CodePen). It is better to use this reason to update to PostCSS 8.

@ai
Copy link
Member Author

@ai ai commented on 8682b1e Apr 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ask Angular 11 to update cssnano.

@GeorgiosP
Copy link

@GeorgiosP GeorgiosP commented on 8682b1e Apr 21, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would this effect any project using editors like monaco-editor which has postcss or other browser based code editors with a dependency on V7 of postcss 💭

@ai
Copy link
Member Author

@ai ai commented on 8682b1e Apr 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@GeorgiosP it affects only use cases when:

  1. User send you CSS
  2. You compile this CSS on your servers

In this case, the user can generate special CSS which will take seconds or minutes to compile. An attacker can use it to DoS your servers.

If you can’t update PostCSS, you can add timeout for CSS processing.

@GeorgiosP
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ai thanks for the additional context 🙏🏼

@Sesughter01
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how do I upgrade from 8.1.14 to the patched 8.2.10 in my laravel project?

@kmaphane
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Eagerly waiting for this answer

@ai
Copy link
Member Author

@ai ai commented on 8682b1e May 17, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Sesughter01 yarn upgrade or npm update should update your nested dependencies. But it is better to ask in Laravel community.

@josephzidell
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ai We run a DevSecOps pipeline (gov't work), and these vulns are causing full blockages. Not every plugin is compatible with v8 at the moment. Seems like it's taking the community some time to make the jump. Would you consider cutting a 7.x release for this?

@ai
Copy link
Member Author

@ai ai commented on 8682b1e May 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@josephzidell this vulnerability affects only runner (postcss-loader, postcss-cli, gulp-postcss) and only on web compilers accepting user-generated CSS (like CodePen).

PostCSS in plugin dependencies doesn’t affect by this vulnerability.

PostCSS 7 support ended in January 2021.

If you want extended support, you can pay for PostCSS commercial support.

@josaphatmayuba
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have

npm update

image

@hakkisabah
Copy link

@hakkisabah hakkisabah commented on 8682b1e Jan 15, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have

npm update

image

I don't understand, i have same issue and even more...
Screenshot (11)

Please sign in to comment.