fix(deps): update dependency path-to-regexp to v6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
path-to-regexp	0.1.12 -> 6.3.0

GitHub Vulnerability Alerts

CVE-2024-45296

Impact

A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b.

Patches

For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

These versions add backtrack protection when a custom regex pattern is not provided:

• 0.1.10
• 1.9.0
• 3.3.0
• 6.3.0

They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.

Version 7.1.0 can enable strict: true and get an error when the regular expression might be bad.

Version 8.0.0 removes the features that can cause a ReDoS.

Workarounds

All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b to /:a-:b([^-/]+).

If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.

Details

Using /:a-:b will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/. This can be exploited by a path such as /a${'-a'.repeat(8_000)}/a. OWASP has a good example of why this occurs, but the TL;DR is the /a at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the :a-:b on the repeated 8,000 -a.

Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.

References

• OWASP
• Detailed blog post

CVE-2024-52798

Impact

The regular expression that is vulnerable to backtracking can be generated in versions before 0.1.12 of path-to-regexp, originally reported in CVE-2024-45296

Patches

Upgrade to 0.1.12.

Workarounds

Avoid using two parameters within a single path segment, when the separator is not . (e.g. no /:a-:b). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.

References

• GHSA-9wv6-86v2-598j
• https://blakeembrey.com/posts/2024-09-web-redos/

---

Release Notes

pillarjs/path-to-regexp (path-to-regexp)

v6.3.0: Fix backtracking in 6.x

Compare Source

Fixed

• Add backtrack protection to 6.x (#​324) f1253b4

v6.2.2: Updated README

Compare Source

No API changes. Documentation only release.

Changed

• Fix readme example c7ec332
• Update shield URL e828000

v6.2.1: Fix matching :name* parameter

Compare Source

Fixed

• Fix invalid matching of :name* parameter (#​261) 762bc6b
• Compare delimiter string over regexp 86baef8

Added

• New example in documentation (#​256) ae9e576
• Update demo link (#​250) 77df638
• Update README encode example b39edd4

v6.2.0: Named Capturing Groups

Compare Source

Added

• Support named capturing groups for RegExps (#​225)

Fixed

• Update strict flag documentation (#​227)
• Ignore test files when bundling (#​220)

v6.1.0: Use `/#?` as Default Delimiter

Compare Source

Fixed

• Use /#? as default delimiter to avoid matching on query or fragment parameters
  • If you are matching non-paths (e.g. hostnames), you can adjust delimiter: '.'

v6.0.0: Custom Prefix and Suffix Groups

Compare Source

This release reverts the prefix behavior added in v3 back to the behavior seen in v2. For the most part, path matching is backward compatible with v2 with these enhancements:

1. Support for nested non-capturing groups in regexp, e.g. /(abc(?=d))
2. Support for custom prefix and suffix groups using /{abc(.*)def}
3. Tokens in an unexpected position will throw an error
   • Paths like /test(foo previously worked treating ( as a literal character, now it expects ( to be closed and is treated as a group
   • You can escape the character for the previous behavior, e.g. /test\(foo

Changed

• Revert using any character as prefix, support prefixes option to configure this (starts as /. which acts like every version since 0.x again)
• Add support for {} to capture prefix/suffix explicitly, enables custom use-cases like /:attr1{-:attr2}?

v5.0.0: Remove Default Encode URI Component

Compare Source

No changes to path rules since 3.x, except support for nested RegEx parts in 4.x.

Changed

• Rename RegexpOptions interface to TokensToRegexpOptions
• Remove normalizePathname from library, document solution in README
• Encode using identity function as default, not encodeURIComponent

v4.0.5: Decode URI

Compare Source

Removed

• Remove whitelist in favor of decodeURI (advanced behavior can happen outside path-to-regexp)

v4.0.4: Remove String#normalize

Compare Source

Fixed

• Remove usage of String.prototype.normalize to continue supporting IE

v4.0.3: Normalize Path Whitelist

Compare Source

Added

• Add normalize whitelist of characters (defaults to /%.-)

v4.0.2: Allow RegexpOptions in match

Compare Source

Fixed

• Allow RegexpOptions in match(...) function

v4.0.1: Fix Spelling of Regexp

Compare Source

Fixed

• Normalize regexp spelling across 4.x

v4.0.0: ES2015 Package for Bundlers

Compare Source

All path rules are backward compatible with 3.x, except for nested () and other RegEx special characters that were previously ignored.

Changed

• Export names have changed to support ES2015 modules in bundlers
• match does not default to decodeURIComponent

Added

• New normalizePathname utility for supporting unicode paths in libraries
• Support nested non-capturing groups within parameters
• Add tree-shaking (via ES2015 modules) for webpack and other bundlers

v3.3.0: Add backtracking protection

Compare Source

Fixed

• Add backtrack protection to 3.x release (#​321) d31670a

v3.2.0: Match Function

Compare Source

Added

• Add native match function to library

v3.1.0: Validate and sensitive options

Compare Source

• Add sensitive option for tokensToFunction (#​191)
• Add validate option to path functions (#​178)

v3.0.0

Compare Source

• Always use prefix character as delimiter token, allowing any character to be a delimiter (e.g. /:att1-:att2-:att3-:att4-:att5)
• Remove partial support, prefer escaping the prefix delimiter explicitly (e.g. \\/(apple-)?icon-:res(\\d+).png)

v2.4.0

Compare Source

• Support start option to disable anchoring from beginning of the string

v2.3.0

Compare Source

• Use delimiter when processing repeated matching groups (e.g. foo/bar has no prefix, but has a delimiter)

v2.2.1

Compare Source

• Allow empty string with end: false to match both relative and absolute paths

v2.2.0

Compare Source

• Pass token as second argument to encode option (e.g. encode(value, token))

v2.1.0

Compare Source

• Handle non-ending paths where the final character is a delimiter
  • E.g. /foo/ before required either /foo/ or /foo// to match in non-ending mode

v2.0.0

Compare Source

• New option! Ability to set endsWith to match paths like /test?query=string up to the query string
• New option! Set delimiters for specific characters to be treated as parameter prefixes (e.g. /:test)
• Remove isarray dependency
• Explicitly handle trailing delimiters instead of trimming them (e.g. /test/ is now treated as /test/ instead of /test when matching)
• Remove overloaded keys argument that accepted options
• Remove keys list attached to the RegExp output
• Remove asterisk functionality (it's a real pain to properly encode)
• Change tokensToFunction (e.g. compile) to accept an encode function for pretty encoding (e.g. pass your own implementation)

v1.9.0: Fix backtracking in 1.x

Compare Source

Fixed

• Add backtrack protection to 1.x release (#​320) 925ac8e
• Fix re.exec(&#​39;/test/route&#​39;) result (#​267) 32a14b0

v1.8.0: Backport token to function options

Compare Source

Added

• Backport TokensToFunctionOptions

v1.7.0

Compare Source

• Allow a delimiter option to be passed in with tokensToRegExp which will be used for "non-ending" token match situations

v1.6.0

Compare Source

• Populate RegExp.keys when using the tokensToRegExp method (making it consistent with the main export)
• Allow a delimiter option to be passed in with parse
• Updated TypeScript definition with Keys and Options updated

v1.5.3

Compare Source

• Add \\ to the ignore character group to avoid backtracking on mismatched parens

v1.5.2

Compare Source

• Escape \\ in string segments of regexp

v1.5.1

Compare Source

• Add index.d.ts to NPM package

v1.5.0

Compare Source

• Handle partial token segments (better)
• Allow compile to handle asterisk token segments

v1.4.0

Compare Source

• Handle RegExp unions in path matching groups

v1.3.0

Compare Source

• Clarify README language and named parameter token support
• Support advanced Closure Compiler with type annotations
• Add pretty paths options to compiled function output
• Add TypeScript definition to project
• Improved prefix handling with non-complete segment parameters (E.g. /:foo?-bar)

v1.2.1

Compare Source

• Encode values before validation with path compilation function
• More examples of using compilation in README

v1.2.0

Compare Source

• Add support for matching an asterisk (*) as an unnamed match everything group ((.*))

v1.1.1

Compare Source

• Expose methods for working with path tokens

v1.1.0

Compare Source

• Expose the parser implementation to consumers
• Implement a compiler function to generate valid strings
• Huge refactor of tests to be more DRY and cover new parse and compile functions
• Use chai in tests
• Add .editorconfig

v1.0.3

Compare Source

• Optimised function runtime
• Added files to package.json

v1.0.2

Compare Source

• Use Array.isArray shim
• Remove ES5 incompatible code
• Fixed repository path
• Added new readme badges

v1.0.1

Compare Source

• Ensure installation works correctly on 0.8

v1.0.0

Compare Source

• No more API changes

v0.2.5

Compare Source

• Allow keys parameter to be omitted

v0.2.4

Compare Source

• Code coverage badge
• Updated readme
• Attach keys to the generated regexp

v0.2.3

Compare Source

• Add MIT license

v0.2.2

Compare Source

• A passed in trailing slash in non-strict mode will become optional
• In non-end mode, the optional trailing slash will only match at the end

v0.2.1

Compare Source

• Fixed a major capturing group regexp regression

v0.2.0

Compare Source

• Improved support for arrays
• Improved support for regexps
• Better support for non-ending strict mode matches with a trailing slash
• Travis CI support
• Block using regexp special characters in the path
• Removed support for the asterisk to match all
• New support for parameter suffixes - *, + and ?
• Updated readme
• Provide delimiter information with keys array

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.