mirror of
https://github.com/Unleash/unleash.git
synced 2024-12-22 19:07:54 +01:00
fix: some security vulnerabilities (#4143)
## About the changes This should address: https://github.com/Unleash/unleash/security/code-scanning/1, https://github.com/Unleash/unleash/security/code-scanning/49 and https://github.com/Unleash/unleash/security/code-scanning/52 Refs: - https://securitylab.github.com/research/github-actions-untrusted-input/ - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS - https://datatracker.ietf.org/doc/html/rfc5321#section-4.5.3.1.1 --------- Co-authored-by: Christopher Kolstad <chriswk@getunleash.ai>
This commit is contained in:
parent
8707c2f7d9
commit
661cbf2b91
6
.github/workflows/notify_enterprise.yaml
vendored
6
.github/workflows/notify_enterprise.yaml
vendored
@ -24,12 +24,6 @@ jobs:
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- run: |
|
||||
echo "github.event.head_commit.committer.name: ${{ github.event.head_commit.committer.name }}"
|
||||
echo "github.event.head_commit.committer.email: ${{ github.event.head_commit.committer.email }}"
|
||||
echo "github.actor: ${{ github.actor }}"
|
||||
echo "github.event.commits[0].author.name ${{ github.event.commits[0].author.name }}"
|
||||
echo "github.event.commits[0].author.email ${{ github.event.commits[0].author.email }}"
|
||||
- name: Trigger sync
|
||||
uses: actions/github-script@v6
|
||||
with:
|
||||
|
@ -5,11 +5,19 @@ const matcher =
|
||||
|
||||
/**
|
||||
* Loosely validate an email address.
|
||||
* Max length of an email address is 320 characters: 64 for the local part + 1 for the @ +
|
||||
* 255 for the domain part.
|
||||
* See https://datatracker.ietf.org/doc/html/rfc5321#section-4.5.3.1.1
|
||||
*
|
||||
* Being a bit extra cautious here and limiting the max length to 500 characters, which prevents
|
||||
* [Regular expression Denial of Service - ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) attacks
|
||||
* due to polynomial regular expression used on uncontrolled data.
|
||||
*
|
||||
* @param {string} string
|
||||
* @return {boolean}
|
||||
*/
|
||||
function isEmail(value: string): boolean {
|
||||
if (value.length > 500) return false;
|
||||
return matcher.test(value);
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user