Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updating tough-cookie due to security fix. #2776

Merged
merged 1 commit into from Sep 25, 2017

Conversation

karlnorling
Copy link
Contributor

@karlnorling karlnorling commented Sep 22, 2017

PR Checklist:

  • I have run npm test locally and all tests are passing.
  • I have added/updated tests for any new behavior.
  • If this is a significant change, an issue has already been created where the problem / solution was discussed: [N/A, or add link to issue here]

PR Description

This addresses:

The tough-cookie module is vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds.

Unless node was compiled using the -DHTTPMAXHEADER_SIZE= option the default header max length is 80kb so the impact of the ReDoS is limited to around 7.3 seconds of blocking.

At the time of writing all version <=2.3.2 are vulnerable

Copy link

@crc442 crc442 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀 Thanks for updating 😉

@mikeal
Copy link
Member

mikeal commented Sep 22, 2017

Please don't update the version of request. The release script does that on its own :)

Other than that, it looks good.

quentinR pushed a commit to quentinR/strong-remoting that referenced this pull request Sep 22, 2017
@karlnorling
Copy link
Contributor Author

@mikeal All done!

@austin-msi
Copy link

Any chance this can be merged today? I'd like to update my project ASAP 😃

@danihodovic
Copy link

Could this be merged soon to fix all the failing CI builds 😄 ?

@avindra
Copy link

avindra commented Sep 25, 2017

The security advisories have already been updated with the patched release of tough-cookie.

Can we please have a release of request cut with this fix?

@mikeal mikeal merged commit 5b623b5 into request:master Sep 25, 2017
@karlnorling karlnorling deleted the tough-cookie-sec-update branch September 25, 2017 20:44
@appility
Copy link

this merge is great but when I try to update with
npm install request@latest --save
it only updates to
"request": "^2.82.0"
which still refers to the older version of tough-cookie?

@Ilshidur
Copy link

Ilshidur commented Sep 26, 2017

@appility That is because the latest published version is 2.82.0. The GitHub repo currently has the 2.82.1 version already tagged but not yet published.
Unless I am mistaken, the changes made by this PR might be released in a new version : 2.82.2, which I really look forward.

godspeedelbow added a commit to godspeedelbow/node-pre-gyp that referenced this pull request Sep 27, 2017
quentinR pushed a commit to quentinR/strong-remoting that referenced this pull request Oct 2, 2017
quentinR pushed a commit to quentinR/strong-remoting that referenced this pull request Oct 2, 2017
quentinR pushed a commit to quentinR/strong-remoting that referenced this pull request Oct 2, 2017
Updating request to 2.83 due to security fix of the tough-cookie dependecy.

[tough-cookie vulnerability](https://nodesecurity.io/advisories/525)
[request update](request/request#2776)
quentinR pushed a commit to quentinR/strong-remoting that referenced this pull request Oct 2, 2017
due to security fix of the tough-cookie dependecy.

[tough-cookie vulnerability](https://nodesecurity.io/advisories/525)
[request update](request/request#2776)
quentinR pushed a commit to quentinR/strong-remoting that referenced this pull request Oct 2, 2017
due to security fix of the tough-cookie dependecy.

[tough-cookie vulnerability](https://nodesecurity.io/advisories/525)
[request update](request/request#2776)
bajtos pushed a commit to quentinR/strong-remoting that referenced this pull request Oct 5, 2017
Enforce our users to upgrade to a recent request version that contains
latest security fixes:

 - tough-cookie vulnerability: https://nodesecurity.io/advisories/525
 - request update: request/request#2776
Traksewt pushed a commit to agriwebb/strong-remoting that referenced this pull request Oct 19, 2017
Enforce our users to upgrade to a recent request version that contains
latest security fixes:

 - tough-cookie vulnerability: https://nodesecurity.io/advisories/525
 - request update: request/request#2776
michaeljoseph added a commit to michaeljoseph/prerender-node that referenced this pull request Feb 6, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

8 participants