Permalink
Comparing changes
Choose two branches to see what’s changed or to start a new pull request.
If you need to, you can also or
learn more about diff comparisons.
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
Learn more about diff comparisons here.
...
- 6 commits
- 4 files changed
- 3 contributors
Commits on Mar 5, 2021
-
fix ReDos in hwb() parser (low-severity)
Discovered by Yeting Li, c/o Colin Ife via Snyk.io. A ReDos (Regular Expression Denial of Service) vulnerability was responsibly disclosed to me via email by Colin on Mar 5 2021 regarding an exponential time complexity for linearly increasing input lengths for `hwb()` color strings. Strings reaching more than 5000 characters would see several milliseconds of processing time; strings reaching more than 50,000 characters began seeing 1500ms (1.5s) of processing time. The cause was due to a the regular expression that parses hwb() strings - specifically, the hue value - where the integer portion of the hue value used a 0-or-more quantifier shortly thereafter followed by a 1-or-more quantifier. This caused excessive backtracking and a cartesian scan, resulting in exponential time complexity given a linear increase in input length. Thank you Yeting Li and Colin Ife for bringing this to my attention in a secure, responsible and professional manner. A CVE will not be assigned for this vulnerability.
Loading
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff 1.5.4...1.6.0