Page MenuHomePhabricator

Update restify in CirrusSearch extension
Open, LowPublic

Description

restify used by CirrusSearch has a vulnerability

Please update to a newer version.

#1171: csv-parse
Severity: high
Versions of csv-parse prior to 4.4.6 are vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large specially-crafted input very slowly, leading to a Denial of Service. This is triggered when using the cast option.
npm advisory

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
EBernhardson added a subscriber: EBernhardson.

restify is used in the test suite, there is no denial of service from specially crafted input there unless people are exposing the unix pipe used for talking to this to the world. Not to say updating it would be bad, but doesn't seem worth any effort currently.