Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix security issue: Backtracking regular expressions #1596

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix security issue: Backtracking regular expressions #1596

wants to merge 1 commit into from

Conversation

alfonsomthd
Copy link
Collaborator

@alfonsomthd alfonsomthd commented Sep 26, 2024
edited
Loading

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2311004

Update path-to-regexp to patched versions:

  • Update express to a version that requires a patched version of path-to-regexp.
  • Remove unnecessary dependency react-router v5 that has path-to-regexp as dependency.
    react-router-dom-v5-compat can be replaced with react-router v6 in a follow-up PR.
  • Ensure that path-to-regexp version installed by @openshift-console/dynamic-plugin-sdk-internal
    is a patched version.
[email protected]
├─┬ @openshift-console/[email protected]
│ └─┬ [email protected]
│   └── [email protected]    <== patched version
└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected]    <== patched version

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 26, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: alfonsomthd
Once this PR has been reviewed and has the lgtm label, please assign cloudbehl for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

alfonsomthd
alfonsomthd commented Sep 26, 2024
View reviewed changes
packages/shared/package.json
@@ -61,7 +61,6 @@
"react": "^17.0.1",
"react-dom": "^17.0.1",
"react-i18next": "^11.11.4",
"react-router": "5.3.x",
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SanjalKatiyar in the external plugin that uses the shared library we're using react-router-dom-v5-compat.

@aruniiird
Copy link
Contributor

cc @aruniiird

@GowthamShanmugam
Copy link
Contributor

I think this express package update will solve all other CVEs, almost 90% CVEs that we got have problems with this express dependency only.

@GowthamShanmugam
Copy link
Contributor

LGTM

1 similar comment
@TimothyAsirJeyasing
Copy link
Contributor

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TimothyAsirJeyasing TimothyAsirJeyasing Awaiting requested review from TimothyAsirJeyasing

@GowthamShanmugam GowthamShanmugam Awaiting requested review from GowthamShanmugam

@SanjalKatiyar SanjalKatiyar Awaiting requested review from SanjalKatiyar

@bipuladh bipuladh Awaiting requested review from bipuladh

@aruniiird aruniiird Awaiting requested review from aruniiird

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@alfonsomthd @aruniiird @GowthamShanmugam @TimothyAsirJeyasing