Server.js icon indicating copy to clipboard operation
Server.js copied to clipboard
verified publisher icon LinkedDataFragments

Uncontrolled Resource Consumption in parse-link-header

Open marcelomachado opened this issue 2 years ago • 3 comments

The package parse-link-header before 2.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the checkHeader function. See: https://github.com/IBM/tpf-conceptnet-datasource/security/dependabot/1

The dependency chain is as follows: parse-link-header 1.0.1 > @comunica/actor-http-native 1.22.1 > rdf-parse 1.9.1 > componentsjs 4.5.0 > @ldf/core 3.2.1 (the one used here). The > represents the required by relation.

marcelomachado avatar Mar 17 '23 05:03 marcelomachado

Updating to the newest Components.js version should resolve this. PR is welcome :-)

rubensworks avatar Mar 27 '23 07:03 rubensworks

Updating to the newest Components.js version should resolve this. PR is welcome :-)

I don't know if the 5.x.x version may break something. I sent a PR updating to 4.5.0.

marcelomachado avatar Mar 28 '23 22:03 marcelomachado

I don't know if the 5.x.x version may break something.

I think the latest range is probably what we want if possible, I think remaining in the 4.x range will still give us other bugs that have been fixed in 5.x.

rubensworks avatar Mar 29 '23 06:03 rubensworks