From 3a401214a73d732c61019a6f6ba8fda555358a60 Mon Sep 17 00:00:00 2001 From: Michael Schmidt Date: Sat, 11 Sep 2021 22:01:48 +0200 Subject: [PATCH 1/6] Added security policy draft --- SECURITY.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..9add11e2ab --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Reporting a Vulnerability + +***DO NOT CREATE AN ISSUE*** to report a vulnerability. + +Instead, please send an email to todo-security@example.com. +See [Responsible Disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) for more details. + +### Procedure + +1. After you send an email to todo-security@example.com, you should receive a response from the [Prism team](https://github.com/orgs/PrismJS/people) within 3 days. + + We may require further information, so please keep in touch with us until the vulnerability has been fixed. + +2. After the vulnerability has been confirmed and accepted, we will create a [security advisory](https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories) and start working on a fix. + + You will be [added as a collaborator](https://docs.github.com/en/code-security/security-advisories/adding-a-collaborator-to-a-security-advisory) (this requires a GitHub account). + At this point, all communication will occur using comments on the advisory and the [temporary private fork](https://docs.github.com/en/code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability). + +3. After the fix has been merged, we will make a new release and publish the security advisory within one week. From 1e27e6975f4502fac68aca6c29a22bfe2ffb5fa2 Mon Sep 17 00:00:00 2001 From: Michael Schmidt Date: Thu, 16 Sep 2021 13:54:12 +0200 Subject: [PATCH 2/6] Added an exception for low-severity ReDoS --- SECURITY.md | 34 +++++++++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 9add11e2ab..f141463364 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,21 +1,45 @@ # Security Policy +## What is considered a vulnerability? + +There are some types of low-severity vulnerabilities that we will not acknowledge as CVE and treat as bugs instead. All vulnerabilities with a severity of medium and above will of course be acknowledged and fixed. + +Please see the below section on how we treat ReDoS vulnerabilities. + +If you are unsure whether a vulnerability you found qualifies, please report it as a vulnerability via email (see below). + +### ReDoS + +Prism is a regex-based syntax highlighter. As such, the main types of vulnerabilities reported to us are [ReDoS] vulnerabilities ([CWE-1333](https://cwe.mitre.org/data/definitions/1333.html)), aka slow regexes. + +However, not all ReDoS is created equal. A slow regex can be have a [worst-case time complexity](https://en.wikipedia.org/wiki/Time_complexity) anywhere from _O(n2)_ to _2O(n)_. This matters because a worst-case time complexity _≥ O(n3)_ is a [high severity][severity] vulnerability while _O(n2)_ is low or medium severity in the context of Prism. +Furthermore, worst-case time complexities of _O(n2)_ can have 2 different causes: backtracking or moving. Backtracking is always fixable by rewriting the slow regex but moving is not (except in special cases). + +Because of their lower severity and the fact that moving is difficult or impossible to fix, we will treat regexes with worst-case time complexity of _O(n2)_ caused by moving as regular bugs and not as vulnerabilities. Please report them as [bugs](https://github.com/PrismJS/prism/issues/new/choose) instead of as vulnerabilities. + +If you found a slow regex but are unsure about the worst-case time complexity or its cause, please report it as a vulnerability via email (see below). + + ## Reporting a Vulnerability ***DO NOT CREATE AN ISSUE*** to report a vulnerability. -Instead, please send an email to todo-security@example.com. +Instead, please send an email to todo-security@example.com. See [Responsible Disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) for more details. ### Procedure -1. After you send an email to todo-security@example.com, you should receive a response from the [Prism team](https://github.com/orgs/PrismJS/people) within 3 days. +1. After you send an email to todo-security@example.com, you should receive a response from the [Prism team](https://github.com/orgs/PrismJS/people) within 3 days. We may require further information, so please keep in touch with us until the vulnerability has been fixed. -2. After the vulnerability has been confirmed and accepted, we will create a [security advisory](https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories) and start working on a fix. +2. After the vulnerability has been confirmed and accepted, we will create a [security advisory](https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories) and start working on a fix. - You will be [added as a collaborator](https://docs.github.com/en/code-security/security-advisories/adding-a-collaborator-to-a-security-advisory) (this requires a GitHub account). + You will be [added as a collaborator](https://docs.github.com/en/code-security/security-advisories/adding-a-collaborator-to-a-security-advisory) (this requires a GitHub account). At this point, all communication will occur using comments on the advisory and the [temporary private fork](https://docs.github.com/en/code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability). - + 3. After the fix has been merged, we will make a new release and publish the security advisory within one week. + + +[ReDoS]: https://en.wikipedia.org/wiki/ReDoS +[severity]: https://www.imperva.com/learn/application-security/cve-cvss-vulnerability/ From d66c465001f25e7530fd7d4b1bb43a148609873b Mon Sep 17 00:00:00 2001 From: Michael Schmidt Date: Thu, 16 Sep 2021 14:01:04 +0200 Subject: [PATCH 3/6] Added links --- SECURITY.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index f141463364..67a859901d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,9 +2,9 @@ ## What is considered a vulnerability? -There are some types of low-severity vulnerabilities that we will not acknowledge as CVE and treat as bugs instead. All vulnerabilities with a severity of medium and above will of course be acknowledged and fixed. +There are some types of [low-severity][severity] vulnerabilities that we will not acknowledge as CVE and treat as bugs instead. All vulnerabilities with a severity of medium and above will of course be acknowledged and fixed. -Please see the below section on how we treat ReDoS vulnerabilities. +Please see the below section on how we treat [ReDoS] vulnerabilities. If you are unsure whether a vulnerability you found qualifies, please report it as a vulnerability via email (see below). From 38e528b9d926c232564586af742380e261f9f1c5 Mon Sep 17 00:00:00 2001 From: RunDevelopment Date: Tue, 22 Mar 2022 11:02:52 +0100 Subject: [PATCH 4/6] Removed email address --- SECURITY.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 67a859901d..492b3d1a1b 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -24,12 +24,12 @@ If you found a slow regex but are unsure about the worst-case time complexity or ***DO NOT CREATE AN ISSUE*** to report a vulnerability. -Instead, please send an email to todo-security@example.com. +Instead, please send an email to at least one of Prism's maintainers. See [Responsible Disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) for more details. ### Procedure -1. After you send an email to todo-security@example.com, you should receive a response from the [Prism team](https://github.com/orgs/PrismJS/people) within 3 days. +1. After you send an email a maintainer, you should receive a response from the [Prism team](https://github.com/orgs/PrismJS/people) within 3 days. We may require further information, so please keep in touch with us until the vulnerability has been fixed. From 74b434261e416c4237a686fb0e6616a2ed4e5ad8 Mon Sep 17 00:00:00 2001 From: RunDevelopment Date: Tue, 22 Mar 2022 19:09:12 +0100 Subject: [PATCH 5/6] One sentence per line --- SECURITY.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 492b3d1a1b..ede97d3a3f 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,7 +2,8 @@ ## What is considered a vulnerability? -There are some types of [low-severity][severity] vulnerabilities that we will not acknowledge as CVE and treat as bugs instead. All vulnerabilities with a severity of medium and above will of course be acknowledged and fixed. +There are some types of [low-severity][severity] vulnerabilities that we will not acknowledge as CVE and treat as bugs instead. +All vulnerabilities with a severity of medium and above will of course be acknowledged and fixed. Please see the below section on how we treat [ReDoS] vulnerabilities. @@ -10,12 +11,17 @@ If you are unsure whether a vulnerability you found qualifies, please report it ### ReDoS -Prism is a regex-based syntax highlighter. As such, the main types of vulnerabilities reported to us are [ReDoS] vulnerabilities ([CWE-1333](https://cwe.mitre.org/data/definitions/1333.html)), aka slow regexes. +Prism is a regex-based syntax highlighter. +As such, the main types of vulnerabilities reported to us are [ReDoS] vulnerabilities ([CWE-1333](https://cwe.mitre.org/data/definitions/1333.html)), aka slow regexes. -However, not all ReDoS is created equal. A slow regex can be have a [worst-case time complexity](https://en.wikipedia.org/wiki/Time_complexity) anywhere from _O(n2)_ to _2O(n)_. This matters because a worst-case time complexity _≥ O(n3)_ is a [high severity][severity] vulnerability while _O(n2)_ is low or medium severity in the context of Prism. -Furthermore, worst-case time complexities of _O(n2)_ can have 2 different causes: backtracking or moving. Backtracking is always fixable by rewriting the slow regex but moving is not (except in special cases). +However, not all ReDoS is created equal. +A slow regex can be have a [worst-case time complexity](https://en.wikipedia.org/wiki/Time_complexity) anywhere from _O(n2)_ to _2O(n)_. +This matters because a worst-case time complexity _≥ O(n3)_ is a [high severity][severity] vulnerability while _O(n2)_ is low or medium severity in the context of Prism. +Furthermore, worst-case time complexities of _O(n2)_ can have 2 different causes: backtracking or moving. +Backtracking is always fixable by rewriting the slow regex but moving is not (except in special cases). -Because of their lower severity and the fact that moving is difficult or impossible to fix, we will treat regexes with worst-case time complexity of _O(n2)_ caused by moving as regular bugs and not as vulnerabilities. Please report them as [bugs](https://github.com/PrismJS/prism/issues/new/choose) instead of as vulnerabilities. +Because of their lower severity and the fact that moving is difficult or impossible to fix, we will treat regexes with worst-case time complexity of _O(n2)_ caused by moving as regular bugs and not as vulnerabilities. +Please report them as [bugs](https://github.com/PrismJS/prism/issues/new/choose) instead of as vulnerabilities. If you found a slow regex but are unsure about the worst-case time complexity or its cause, please report it as a vulnerability via email (see below). From 7dc09fc2ea93acc193364f423999bec555790f90 Mon Sep 17 00:00:00 2001 From: Michael Schmidt Date: Tue, 26 Jul 2022 21:07:54 +0200 Subject: [PATCH 6/6] Link MAINTAINERS.md --- SECURITY.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index ede97d3a3f..c796689dff 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -30,12 +30,12 @@ If you found a slow regex but are unsure about the worst-case time complexity or ***DO NOT CREATE AN ISSUE*** to report a vulnerability. -Instead, please send an email to at least one of Prism's maintainers. +Instead, please send an email to at least one of [Prism's maintainers](MAINTAINERS.md). See [Responsible Disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) for more details. ### Procedure -1. After you send an email a maintainer, you should receive a response from the [Prism team](https://github.com/orgs/PrismJS/people) within 3 days. +1. After you send an email [a maintainer](MAINTAINERS.md), you should receive a response from the [Prism team](https://github.com/orgs/PrismJS/people) within 3 days. We may require further information, so please keep in touch with us until the vulnerability has been fixed.