test: security scan #1220
test: security scan #1220
Conversation
|
Not sure whether the CI stage is configured properly. I don't think CI changes take effect until after it's merged though, so someone should check it over. |
|
I still don't think the eslint plugin is all that helpful in our situation because of the way we construct the regexes. |
|
As you've pointed out earlier, a static analysis won't guarantee protection. I disagree, however, that it "is [not] all that helpful". It has already identified several REDOS issues, and it is certainly much better than nothing. I therefore suggest we adopt it. We can open an issue to revisit this with a more thorough approach. Exposing the module's regexes and invoking vuln-regex-detector on them from the test suite would be a nice extension. |
|
@davisjam CI is showing a vulnerability.
Ok I see now you have opened #1223 |
This scan will not produce false positives. This tool only flags a regex if it has demonstrated super-linear behavior against it. It will have some false negatives, e.g. it did not catch #1224 . |
|
I like the idea of CI covering us on security. Not going to require this be there for the 0.4.0 release as it seems like there might be some more conversation desired. |
|
@davisjam Want to rebase on master? |
- 'npm run test:redos' now scans for REDOS issues - added a Travis stage for 'security scan' Fixes: markedjs#1201 (a step towards it, anyway)
davisjam
force-pushed
the
AutomaticREDOSScan
branch
from
34c45bf
to
02b1343
Compare
.travis.yml
Outdated
| @@ -13,6 +13,10 @@ jobs: | |||
| - node_js: lts/* | |||
| - node_js: node | |||
|
|
|||
| - stage: security scan | |||
There was a problem hiding this comment.
Fixed.
Where do you guys find these cool symbols?
There was a problem hiding this comment.
@davisjam If you type : you can start typing words and find emoji 🔍
Otherwise, checkout https://emojipedia.org 😄
test: security scan
npm run test:redosnow scans for REDOS issuesFixes: #1201.