如何在反应脚本中修复正则表达式拒绝服务
[英]how to fix Regular Expression Denial Of Services in react script
问题描述
I got 86 vulnerabilities and 4 of them are high.
我有 86 个漏洞,其中 4 个是高漏洞。 And then I run npm audit to know what's wrong with my react project然后我运行npm audit以了解我的反应项目有什么问题
High Regular Expression Denial of Service
Package normalize-url
Patched in >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1
Dependency of react-scripts
Path react-scripts > optimize-css-assets-webpack-plugin > cssnano
> cssnano-preset-default > postcss-normalize-url >
normalize-url
More info https://npmjs.com/advisories/1755
And then I visit the url and I know I should upgrade to versions 4.5.1, 5.3.1, 6.0.1 or later.然后我访问了 url,我知道我应该升级到 4.5.1、5.3.1、6.0.1 或更高版本。 I did it using npm install normalize-url@6.0.1 but I still got the same vulnerabilities.我使用npm install normalize-url@6.0.1完成了它,但我仍然遇到相同的漏洞。 I try to check which version of normalize-url was installed by running npm ls normalize-url and I got:我尝试通过运行npm ls normalize-url ,我得到了:
+-- normalize-url@6.0.1
`-- react-scripts@4.0.3
+-- mini-css-extract-plugin@0.11.3
| `-- normalize-url@1.9.1
`-- optimize-css-assets-webpack-plugin@5.0.4
`-- cssnano@4.1.11
`-- cssnano-preset-default@4.0.8
`-- postcss-normalize-url@4.0.1
`-- normalize-url@3.3.0
I've tried to do this too https://www.npmjs.com/package/npm-force-resolutions and I still got the vulnerabilities.我也尝试过这样做https://www.npmjs.com/package/npm-force-resolutions但我仍然有漏洞。 Does anyone know how to fix this?有谁知道如何解决这一问题? Thanks谢谢
2 个解决方案
解决方案1
2 2021-06-10 17:55:06
I'm pretty sure what the output npm ls command is telling you is you have normalize-url@6.0.1 installed, but react-scripts is still relying on version 1.9.1.我很确定 output npm ls命令告诉你的是你安装了 normalize-url@6.0.1,但 react-scripts 仍然依赖于版本 1.9.1。 But not even react-scripts: react-scripts relies on mini-css-extract-plugin which relies on normalize-url@1.9.1.但甚至没有 react-scripts:react-scripts 依赖于 mini-css-extract-plugin,而 mini-css-extract-plugin 又依赖于 normalize-url@1.9.1。 And then there is a chain from optimize-css-assets-webpack-plugin that relies on normalize-url@3.3.0.然后有一个来自 optimize-css-assets-webpack-plugin 的链,它依赖于 normalize-url@3.3.0。 So you'll need to wait for the react team to fix their dependencies.所以你需要等待反应团队修复他们的依赖关系。 And it looks like they recently have https://github.com/apache/airflow/pull/16375(EDIT: scratch this comment, I realize now this has nothing to do with the react-scripts package. I thought maybe it did in some way. But I'll leave this statement in here as a mark of my shame:P ).看起来他们最近有 https://github.com/apache/airflow/pull/16375(编辑:划掉这条评论,我现在意识到这与反应脚本 package 无关。我想也许它在某种方式。但我将把这个声明留在这里作为我耻辱的标志:P)。
The react team knows about this vulnerability ( https://github.com/facebook/create-react-app/issues/11054 ) but I'm not certain when the fix is deployed and or how those updates get dispersed. React 团队知道这个漏洞( https://github.com/facebook/create-react-app/issues/11054 ),但我不确定修复何时部署以及这些更新如何分散。
解决方案2
1 2021-06-10 23:36:14
I just got the same issue, since react is maintained by facebook so i don't want to trust it, i deleted it, also i can't imagine making a project with 86 vulnerabilities 4 of them are ReDoS High.我刚遇到同样的问题,因为 react 由 facebook 维护,所以我不想相信它,我删除了它,我也无法想象制作一个包含 86 个漏洞的项目,其中 4 个是 ReDoS 高。
i suggest you try to delete normalize-url module from node-modules folder and package.lock.json then install the latest package 6.0.1我建议您尝试从node-modules文件夹和package.lock.json中删除 normalize-url 模块,然后安装最新的 package 6.0.1
npm i normalize-url
let me know if it can fix it.让我知道它是否可以修复它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.