Fix a possible ReDoS

cronvel · Oct 12, 2021 · a2e446c · a2e446c
1 parent 6e529a5
commit a2e446c
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 6 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,4 +1,10 @@
 
+v2.1.8
+------
+
+Fix a possible ReDoS
+
+
 v2.1.7
 ------
 

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,10 @@
+
+## Reporting a Vulnerability
+
+If you think you have found a vulnerability, _please report responsibly_.
+Don't create GitHub issues for security issues.
+Instead, send an email to cedric dot ronvel at gmail dot com and I will look into it as soon as possible.
+
+**A note for bounty hunters:** I should mention that I *usually* prefer to fix security issues by myself,
+because it could involve rethinking API or fixing it / working around it in a way only an official maintainer can do it.
+I want to avoid people getting frustrated: **don't work on a fix before getting in touch with me**.
diff --git a/browser/termkit.js b/browser/termkit.js
@@ -19123,9 +19123,11 @@ misc.truncateString = ( str , maxWidth ) => {
 
 
 
-// width of a string with a markup, without control chars
+// Width of a string with a markup, without control chars
 misc.markupWidth = str => {
-	return string.unicode.width( str.replace( /\^\[[^\]]*]|\^(.)/g , ( match , second ) => {
+	// Fix a possible ReDoS, the regex:   /\^\[[^\]]*]|\^(.)/g   was replaced by:   /\^\[[^^[\]]*]|\^(.)/g
+	// The exploit was possible with a string like: '^['.repeat(bigNumber)
+	return string.unicode.width( str.replace( /\^\[[^^[\]]*]|\^(.)/g , ( match , second ) => {
 		if ( second === ' ' || second === '^' ) {
 			return second ;
 		}

diff --git a/browser/termkit.min.js b/browser/termkit.min.js
diff --git a/lib/misc.js b/lib/misc.js
@@ -180,9 +180,11 @@ misc.truncateString = ( str , maxWidth ) => {
 
 
 
-// width of a string with a markup, without control chars
+// Width of a string with a markup, without control chars
 misc.markupWidth = str => {
-	return string.unicode.width( str.replace( /\^\[[^\]]*]|\^(.)/g , ( match , second ) => {
+	// Fix a possible ReDoS, the regex:   /\^\[[^\]]*]|\^(.)/g   was replaced by:   /\^\[[^^[\]]*]|\^(.)/g
+	// The exploit was possible with a string like: '^['.repeat(bigNumber)
+	return string.unicode.width( str.replace( /\^\[[^^[\]]*]|\^(.)/g , ( match , second ) => {
 		if ( second === ' ' || second === '^' ) {
 			return second ;
 		}

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "terminal-kit",
-  "version": "2.1.7",
+  "version": "2.1.8",
   "description": "256 colors, keys and mouse, input field, progress bars, screen buffer (including 32-bit composition and image loading), text buffer, and many more... Whether you just need colors and styles, build a simple interactive command line tool or a complexe terminal app: this is the absolute terminal lib for Node.js!",
   "main": "lib/termkit.js",
   "directories": {