-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
util: expose stripVTControlCharacters() #40214
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
This commit exposes the existing stripVTControlCharacters() method with docs and some additional input validation. PR-URL: nodejs#40214 Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Minwoo Jung <[email protected]> Reviewed-By: James M Snell <[email protected]>
PR-URL: nodejs#40214 Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Minwoo Jung <[email protected]> Reviewed-By: James M Snell <[email protected]>
This commit exposes the existing stripVTControlCharacters() method with docs and some additional input validation. PR-URL: #40214 Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Minwoo Jung <[email protected]> Reviewed-By: James M Snell <[email protected]>
PR-URL: #40214 Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Minwoo Jung <[email protected]> Reviewed-By: James M Snell <[email protected]>
The regex improvement change (606bb52 / 66d3101) is actually a port of the ansi-regex fix for the CVE-2021-3807 regular expression DoS (ReDoS) issue. References for the fix in ansi-regex: chalk/ansi-regex#37 Are there any plans to apply this fix to 14 and 12 as well? |
This regexp was not exposed prior to this PR and not exploitable. |
While I'm not aware of any real world use case practically exploitable via this issue. |
const readline = require('readline');
const rl = readline.createInterface({
input: process.stdin,
output: process.stdout,
});
for(var i = 1; i <= 5; i++) {
var time = Date.now();
var attack_str = "\u001B["+";".repeat(i*10000);
rl.write(attack_str);
var time_cost = Date.now() - time;
console.log("_attack_str.length: " + attack_str.length + ", time: " + time_cost + " ms")
}
rl.close() |
Readline is a developer utility. This is not going to cause a DoS attack. |
This PR exposes the existing
stripVTControlCharacters()
method with docs and some additional input validation. It also improves the regex used by the function.