Description
🐛 Bug Report
Raising as an issue here as I'm not sure this makes sense to ask on SO
- This module uses
html-parse-stringify2@^2.0.1. - CVE-2021-23346 (more info in https://snyk.io/vuln/SNYK-JS-HTMLPARSESTRINGIFY2-1079307) has been raised against that module. It's not clear whether
html-parse-stringify2is still maintained and will ever be fixed (ongoing conversation in Regular Expression Denial of Service possible rayd/html-parse-stringify2#26). - I think is the only place that
Line 136 in 9f80ddc
html-parse-stringify2is used, where the string to be parsed is explicitly wrapped in<0>${interpolatedString}</0> - I have not yet managed to find a value for
${interpolatedString}that triggers the ReDoS bug inhtml-parse-stringify2, and looking at the bug in the RegEx inhtml-parse-stringify2I'm pretty sure there isn't one, but would like an official view from the maintainers on whether CVE-2021-23346 is definitely not applicable.
To Reproduce
If you want to see the bug in html-parse-stringify2 then run...
const p = require('html-parse-stringify2')
console.log('parsing')
p.parse("<!'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''!")
console.log('parsed')This does not complete in a timely manner.
Running the following does complete quickly, but maybe I just can't think of a "bad" input yet.
const p = require('html-parse-stringify2')
console.log('parsing')
p.parse("<0><!'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''!></0>")
console.log('parsed')Expected behavior
Hopefully you confirm this is not applicable
Your Environment
- runtime version: Node v14
- i18next version: i.e. 14.1.1
- os: Linux