Comments (11)
dnsmob
commented on April 28, 2024
4
cool, we're on the same page here -- but security warnings trigger the hair in the back of the neck of tech managers, so... ;)
does my suggestion of limiting the number of characters make sense tho? i'm sort of assuming that function deals with AARRGGBB values only, hence limiting the loop would be enough?
from d3-color.
stefferd
commented on April 28, 2024
3
Agreeing with both gives a security risk that could be considered as a false positive. But still pops up on most security scans. Would like that the suggested fix is adopted.
from d3-color.
mbostock
commented on April 28, 2024
1
Is your application parsing user-specified color strings, i.e., are you passing user-generated content to d3-color parsing methods? Most applications do not, and so in practice, most of these security vulnerabilities are false positives.
from d3-color.
mbostock
commented on April 28, 2024
1
My understanding is that limiting the input length is not sufficient to address the vulnerability, and that we probably need to fix this by abandoning regular expressions entirely say in favor of a tokenizer parser, which is a lot of work.
from d3-color.
EnsisAeternus
commented on April 28, 2024
1
I am also running into the problem of a security scanner flagging this issue, questionable though the severity of the issue is and unlikely that it can be exploited. It does appear that the vulnerability can be addressed by limiting the input string size though because the problem is in regex runtime exponentially increasing with input length.
from d3-color.
dnsmob
commented on April 28, 2024
considering they can consistently reproduce, it's hard to call false positive though :(
i'm not really familiar with what is possible to do with these methods, but is it not the case of simply limiting the number of characters in the string that the method rgb can take?
from d3-color.
mbostock
commented on April 28, 2024
I wasn’t disputing that the regular expression is prone to catastrophic backtracking, just that most applications don’t pass user input to d3.color and related methods, and hence are not vulnerable.
from d3-color.
mbostock
commented on April 28, 2024
Duplicate of #89. We don’t need a separate issue to track the status of another issue.
from d3-color.
mbostock
commented on April 28, 2024
Whoops, that was a PR, not an issue. I’ll retitle this issue.
from d3-color.
mbostock
commented on April 28, 2024
I did a little debugging, and based on the report, the catastrophic backtracking may be limited to the percent-format regular expressions? Here’s an example that shows hundreds of steps before failing if you open the regex debugger:
https://regex101.com/r/GeakxZ/1
Edit: Nope, it’s not specific to the percent format. The reRgbInteger will also fail after hundreds of steps.
from d3-color.
mbostock
commented on April 28, 2024
The fix ended up being quite trivial. This part of the regular expression was causing the explosion since there are many valid ways it could match the same input (since both the \d* and \.? can match the empty string):
\d*\.?\d+
The fix is instead to enforce that there is only a single way of matching valid input:
(?:\d*\.)?\d+
from d3-color.
Related Issues (20)
- d3.rgb doesn't parse HSL hues with `deg` units HOT 1
- Changing color.s changes luminosity and color.l saturation.
- Security vulnerability fix for d3-color required in version 2.x HOT 7
- Security vulnerability fix for d3-color nice-to-have in version 1.x HOT 4
- Unexpected token 'export' while update from 2.x.x to 3.x.x HOT 2
- Why d3 uses illuminant D50 instead of D65? HOT 1
- d3.hsl doesnt seem to work with grey scale values HOT 2
- Alpha value of 0 breaks rgb HOT 1
- Add formatHex8() to include opacity HOT 7
- Brightening black in RGB HOT 3
- bug: hue is NaN when convert hsl HOT 2
- Unexpected conversion to HSL
- Incorrect conversion from HCL / LCH to hex or rgb HOT 2
- oklab / oklch? HOT 8
- More exports. HOT 9
- Doesn't work - color is not defined HOT 1
- Does the Common JS version of the module work? HOT 1
- Supporting CSS color level 4 HOT 3
- formatHex with alpha channel HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from d3-color.