[Security] Bump moment from 2.29.1 to 2.29.4
Bumps moment from 2.29.1 to 2.29.4. This update includes security fixes.
Vulnerabilities fixed
Inefficient Regular Expression Complexity in moment
Impact
- using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs
- noticeable slowdown is observed with inputs above 10k characters
- users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks
Patches
The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.
Workarounds
In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.
References
There is an excellent writeup of the issue here: moment/moment#6015
Details
The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing.
moment("(".repeat(500000))
will take a few minutes to process, which is unacceptable.Patched versions: 2.29.4 Affected versions: >= 2.18.0, < 2.29.4
Path Traversal: 'dir/../../filename' in moment.locale
Impact
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg
fr
is directly used to switch moment locale.Patches
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Workarounds
Sanitize user-provided locale name before passing it to moment.js.
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
- Open an issue in moment repo
Patched versions: 2.29.2 Affected versions: < 2.29.2
Changelog
Sourced from moment's changelog.
2.29.4
- Release Jul 6, 2022
- #6015 [bugfix] Fix ReDoS in preprocessRFC2822 regex
Full changelog
2.29.3See full changelog
2.29.2
- Release Apr 3 2022
Address https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4
Commits
-
000ac18
Build 2.24.4 -
f2006b6
Bump version to 2.24.4 -
536ad0c
Update changelog for 2.29.4 -
9a3b589
[bugfix] Fix redos in preprocessRFC2822 regex (#6015) -
6374fd8
Merge branch 'master' into develop -
b4e6153
Revert "[bugfix] Fix redos in preprocessRFC2822 regex (#6015)" -
7aebb16
[bugfix] Fix redos in preprocessRFC2822 regex (#6015) -
57c9062
Build 2.29.3 -
aaf50b6
Fixup release complaints -
26f4aef
Bump version to 2.29.3 - Additional commits viewable in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot rebase
will rebase this MR -
$dependabot recreate
will recreate this MR rewriting all the manual changes and resolving conflicts