File: CVE-2022-37599.patch

package info (click to toggle)
node-loader-utils 2.0.0-1%2Bdeb11u1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 452 kB
  • sloc: javascript: 1,484; makefile: 2
file content (19 lines) | stat: -rw-r--r-- 837 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
 
Description: fix ReDoS
Author: Alexander Akait <4567934+alexander-akait@users.noreply.github.com>
Origin: upstream, https://github.com/webpack/loader-utils/commit/ac09944d
Bug: https://github.com/webpack/loader-utils/issues/211
Forwarded: not-needed
Reviewed-By: Yadd <yadd@debian.org>
Last-Update: 2022-11-14

--- a/lib/interpolateName.js
+++ b/lib/interpolateName.js
@@ -108,7 +108,7 @@
       // `hash` and `contenthash` are same in `loader-utils` context
       // let's keep `hash` for backward compatibility
       .replace(
-        /\[(?:([^:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi,
+        /\[(?:([^[:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi,
         (all, hashType, digestType, maxLength) =>
           getHashDigest(content, hashType, digestType, parseInt(maxLength, 10))
       )