使用 npm 时正则表达式拒绝服务是什么意思？

发布于 2025-01-10 02:05:21 字数 590 浏览 0 评论 0原文

我是编程新手，每个人都不断提到它是如何特定于问题的，但我想知道在使用 npm 审计时拒绝服务是否意味着它无法与 git 存储库通信？

glob-parent  <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix`
node_modules/chokidar/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/chokidar
    live-server  >=1.2.0
    Depends on vulnerable versions of chokidar
    node_modules/live-server

3 high severity vulnerabilities

To address all issues, run:
  npm audit fix

原文

I am new to programming and everyone keeps mentioning how it is problem specific but I wanted to know when using npm audit does the denial of service mean its not able to communicate with the git repository?

glob-parent  <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix`
node_modules/chokidar/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/chokidar
    live-server  >=1.2.0
    Depends on vulnerable versions of chokidar
    node_modules/live-server

3 high severity vulnerabilities

To address all issues, run:
  npm audit fix

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

最美的太阳 2025-01-17 02:05:21

您看到的是来自 NPM 的警报，报告您的项目正在使用的软件包之一 glob-parent 在版本 5.1.2 之前存在漏洞。具体来说，理论上有人可以这样做：

var globParent = require("glob-parent")
function build_attack(n) {
var ret = "{"
for (var i = 0; i < n; i++) {
ret += "/"
}

return ret;
}

globParent(build_attack(5000));

或创建一些其他故意格式错误的字符串供 globParent 解析，这会导致您的系统由于 glob-parent 使用的正则表达式而挂起。

如果您升级到 glob-parent 的更新版本（可以使用 npmauditfix 来实现），您将不再容易受到此攻击

拒绝服务是否意味着无法与 git 存储库通信？

不，这意味着坏人理论上可以利用 glob-parent 拒绝向您的系统提供资源（直到您杀死该进程）。这并不意味着这样的事情确实发生了，只是旧版本的 glob-parent 很容易受到这样的事情的影响。

What you're seeing is an alert coming from NPM that reports that one of the packages your project is using, glob-parent, had a vulnerability before version 5.1.2. Specifically, someone could theoretically do:

var globParent = require("glob-parent")
function build_attack(n) {
var ret = "{"
for (var i = 0; i < n; i++) {
ret += "/"
}

return ret;
}

globParent(build_attack(5000));

or create some other deliberately malformed string for globParent to parse, which would result in your system hanging due to a regular expression that glob-parent is using.

If you upgrade to a more recent version of glob-parent (which you can do with npm audit fix), you will no longer be vulnerable to this attack

does the denial of service mean its not able to communicate with the git repository?

No, it means that a bad actor could theoretically leverage glob-parent to deny resources to your system (until you killed the process). It doesn't mean that such a thing is actually taking place, just that the old versions of glob-parent were vulnerable to such a thing.

回复收藏 0 原文

~没有更多了~