public / clean-css.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 9693ae6) | patch
Fixes ReDOS vulnerabilities.
authorJakub Pawlowicz <contact@jakubpawlowicz.com>
Tue, 6 Mar 2018 10:10:05 +0000 (11:10 +0100)
committerJakub Pawlowicz <contact@jakubpawlowicz.com>
Tue, 6 Mar 2018 13:34:03 +0000 (14:34 +0100)
commit2929bafbf8cdf7dccb24e0949c70833764fa87e3
tree7109cddb265a4cfaf3bf30aa48d9362a067fd7b0tree | snapshot
parent9693ae602bcd26cabf663d19deb596b53a375ce9commit | diff
Fixes ReDOS vulnerabilities.

Jamie Davis (@davisjam) from Virginia Tech reported that clean-css
suffers from ReDOS vulnerability [0] when fed with crafted input.

Since not so many people use clean-css allowing untrusted input such
cases may be rare, but this commit reworks vulnerable code to prevent
such attacks.

It also limits certain whitespace blocks to sane length of 31 characters
in validation regexes to prevent similar issues.

[0] https://snyk.io/blog/redos-and-catastrophic-backtracking
History.md diff | blob | history
README.md diff | blob | history
lib/optimizer/level-2/can-override.js diff | blob | history
lib/optimizer/level-2/compactable.js diff | blob | history
lib/optimizer/level-2/remove-unused-at-rules.js diff | blob | history
lib/optimizer/validator.js diff | blob | history
lib/tokenizer/tokenize.js diff | blob | history
test/module-test.js diff | blob | history
A well-tested CSS minifier, modified to add NDCODE hooks.