Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Upgrade minimatch to fix RegEx DoS security issue #10282

Closed
phacks opened this issue Dec 4, 2018 · 4 comments
Closed

[Security] Upgrade minimatch to fix RegEx DoS security issue #10282

phacks opened this issue Dec 4, 2018 · 4 comments
Labels
stale? Issue that may be closed soon due to the original author not responding any more.

Comments

@phacks
Copy link
Contributor

phacks commented Dec 4, 2018

See #10198 for context.

Description

One of the dependencies of the gatsby-remark-code-repls package relies on an outdated version of minimatch that allows for a Regular Expression Denial of Service (see npm report on the matter)

Steps to reproduce

Run yarn audit and see the high severity security issue.
@phacks
Copy link
Contributor Author

phacks commented Dec 4, 2018

I’ll try to work this out when I can spare some time!

Also this is a good opportunity to refactor the package, see

gatsby/packages/gatsby-remark-code-repls/src/gatsby-node.js

Lines 39 to 42 in 9bd0a27

// TODO We could refactor this to use 'recursive-readdir' instead,
// And wrap with Promise.all() to execute createPage() in parallel.
// I'd need to find a way to reliably test error handling though.
const files = recursiveReaddir(directory)

@phacks phacks mentioned this issue Dec 7, 2018
Merged
6 tasks
@gatsbot
Copy link

gatsbot bot commented Feb 4, 2019

Hiya!

This issue has gone quiet. Spooky quiet. 👻

We get a lot of issues, so we currently close issues after 30 days of inactivity. It’s been at least 20 days since the last update here.

If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

Thanks for being a part of the Gatsby community! 💪💜

@gatsbot gatsbot bot added the stale? Issue that may be closed soon due to the original author not responding any more. label Feb 4, 2019
@phacks
Copy link
Contributor Author

phacks commented Feb 4, 2019

Issue is not stale, PR #10338 is still alive and kickin’

@gatsbot
Copy link

gatsbot bot commented Feb 15, 2019

Hey again!

It’s been 30 days since anything happened on this issue, so our friendly neighborhood robot (that’s me!) is going to close it.

Please keep in mind that I’m only a robot, so if I’ve closed this issue in error, I’m HUMAN_EMOTION_SORRY. Please feel free to reopen this issue or create a new one if you need anything else.

Thanks again for being part of the Gatsby community!

@gatsbot gatsbot bot closed this as completed Feb 15, 2019
wardpeet pushed a commit that referenced this issue Mar 13, 2019
@phacks @wardpeet
chore: Upgrade minimatch to fix RegEx DoS security issue (#10338)
c93a84a 
Fixes #10282

- [x] Switch to `recursive-readdir` library
- [x] Implement async readdir behavior
- [x] Fix existing tests
- [x] Test error handling
- [x] Test on a `gatsby-starter-blog` with few examples of REPLs
- [x] Try and implement the `Promise.all` refactor
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale? Issue that may be closed soon due to the original author not responding any more.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@phacks