Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: Qix-/color-string Loading
base: 1.5.4
Choose a base ref
...
head repository: Qix-/color-string Loading
compare: 1.5.5
Choose a head ref
  • 2 commits
  • 2 files changed
  • 1 contributor

Commits on Mar 5, 2021

  1. fix ReDos in hwb() parser (low-severity) 

    Discovered by Yeting Li, c/o Colin Ife via Snyk.io.

A ReDos (Regular Expression Denial of Service) vulnerability
was responsibly disclosed to me via email by Colin on
Mar 5 2021 regarding an exponential time complexity for
linearly increasing input lengths for `hwb()` color strings.

Strings reaching more than 5000 characters would see several
milliseconds of processing time; strings reaching more than
50,000 characters began seeing 1500ms (1.5s) of processing time.

The cause was due to a the regular expression that parses
hwb() strings - specifically, the hue value - where
the integer portion of the hue value used a 0-or-more quantifier
shortly thereafter followed by a 1-or-more quantifier.

This caused excessive backtracking and a cartesian scan,
resulting in exponential time complexity given a linear
increase in input length.

Thank you Yeting Li and Colin Ife for bringing this to my
attention in a secure, responsible and professional manner.

A CVE will not be assigned for this vulnerability.
    @Qix-
    Qix- committed Mar 5, 2021
    Configuration menu
    Copy the full SHA
    0789e21 View commit details
    Browse the repository at this point in the history

  2. 1.5.5

    @Qix-
    Qix- committed Mar 5, 2021
    Configuration menu
    Copy the full SHA
    966ae4d View commit details
    Browse the repository at this point in the history
Loading