Headline
CVE-2020-7793: Fix ReDoS vulnerabilities reported by Snyk · faisalman/ua-parser-js@6d1f26d
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).
@@ -222,7 +222,7 @@
// Presto based /(opera\smini)\/([\w\.-]+)/i, // Opera Mini /(opera\s[mobiletab]+).+version\/([\w\.-]+)/i, // Opera Mobi/Tablet /(opera\s[mobiletab]{3,6}).+version\/([\w\.-]+)/i, // Opera Mobi/Tablet /(opera).+version\/([\w\.]+)/i, // Opera > 9.80 /(opera)[\/\s]+([\w\.]+)/i // Opera < 9.80 ], [NAME, VERSION], [ @@ -252,7 +252,7 @@ /(konqueror)\/([\w\.]+)/i // Konqueror ], [[NAME, ‘Konqueror’], VERSION], [
/(trident).+rv[:\s]([\w\.]+).+like\sgecko/i // IE11 /(trident).+rv[:\s]([\w\.]{1,9}).+like\sgecko/i // IE11 ], [[NAME, ‘IE’], VERSION], [
/(edge|edgios|edga|edg)\/((\d+)?[\w\.]+)/i // Microsoft Edge @@ -362,13 +362,13 @@ /fxios\/([\w\.-]+)/i // Firefox for iOS ], [VERSION, [NAME, ‘Firefox’]], [
/version\/([\w\.]+).+?mobile\/\w+\s(safari)/i // Mobile Safari /version\/([\w\.]+)\s.*mobile\/\w+\s(safari)/i // Mobile Safari ], [VERSION, [NAME, ‘Mobile Safari’]], [
/version\/([\w\.]+).+?(mobile\s?safari|safari)/i // Safari & Safari Mobile /version\/([\w\.]+)\s.*(mobile\s?safari|safari)/i // Safari & Safari Mobile ], [VERSION, NAME], [
/webkit.+?(gsa)\/([\w\.]+).+?(mobile\s?safari|safari)(\/[\w\.]+)/i // Google Search Appliance on iOS /webkit.+?(gsa)\/([\w\.]+)\s.*(mobile\s?safari|safari)(\/[\w\.]+)/i // Google Search Appliance on iOS ], [[NAME, ‘GSA’], VERSION], [
/webkit.+?(mobile\s?safari|safari)(\/[\w\.]+)/i // Safari < 3.0 @@ -387,7 +387,7 @@
// Firefox/SeaMonkey/K-Meleon/IceCat/IceApe/Firebird/Phoenix /(firefox)\/([\w\.]+)\s[\w\s\-]+\/[\w\.]+$/i, // Other Firefox-based /(mozilla)\/([\w\.]+).+rv\:.+gecko\/\d+/i, // Mozilla /(mozilla)\/([\w\.]+)\s.+rv\:.+gecko\/\d+/i, // Mozilla
// Other /(polaris|lynx|dillo|icab|doris|amaya|w3m|netsurf|sleipnir)[\/\s]?([\w\.]+)/i, @@ -487,7 +487,7 @@ /(sprint\s(\w+))/i // Sprint Phones ], [[VENDOR, mapper.str, maps.device.sprint.vendor], [MODEL, mapper.str, maps.device.sprint.model], [TYPE, MOBILE]], [
/(htc)[;_\s-]+([\w\s]+(?=\)|\sbuild)|\w+)/i, // HTC /(htc)[;_\s-]{1,2}([\w\s]+(?=\)|\sbuild)|\w+)/i, // HTC /(zte)-(\w*)/i, // ZTE /(alcatel|geeksphone|nexian|panasonic|(?=;\s)sony)[_\s-]?([\w-]*)/i // Alcatel/GeeksPhone/Nexian/Panasonic/Sony @@ -591,13 +591,13 @@ ], [MODEL, [VENDOR, ‘Google’], [TYPE, MOBILE]], [
/android.+;\s(\w+)\s+build\/hm\1/i, // Xiaomi Hongmi ‘numeric’ models /android.+(hm[\s\-_]*note?[\s_]*(?:\d\w)?)\s+build/i, // Xiaomi Hongmi /android.+(redmi[\s\-_]*(?:note|k)?(?:[\s_]?[\w\s]+))(?:\s+build|\))/i, /android.+(hm[\s\-_]?note?[\s_]?(?:\d\w)?)\sbuild/i, // Xiaomi Hongmi /android.+(redmi[\s\-_]?(?:note|k)?(?:[\s_]?[\w\s]+))(?:\sbuild|\))/i, // Xiaomi Redmi /android.+(mi[\s\-_]*(?:a\d|one|one[\s_]plus|note lte)?[\s_]?(?:\d?\w?)[\s_]*(?:plus)?)\s+build/i /android.+(mi[\s\-_]?(?:a\d|one|one[\s_]plus|note lte)?[\s_]?(?:\d?\w?)[\s_]?(?:plus)?)\sbuild/i // Xiaomi Mi ], [[MODEL, /_/g, ' '], [VENDOR, ‘Xiaomi’], [TYPE, MOBILE]], [ /android.+(mi[\s\-_]*(?:pad)(?:[\s_]?[\w\s]+))(?:\s+build|\))/i // Mi Pad tablets /android.+(mi[\s\-_]?(?:pad)(?:[\s_]?[\w\s]+))(?:\sbuild|\))/i // Mi Pad tablets ],[[MODEL, /_/g, ' '], [VENDOR, ‘Xiaomi’], [TYPE, TABLET]], [ /android.+;\s(m[1-5]\snote)\sbuild/i // Meizu ], [MODEL, [VENDOR, ‘Meizu’], [TYPE, MOBILE]], [ @@ -611,7 +611,7 @@ /android.+[;\/]\s*(RCT[\d\w]+)\s+build/i // RCA Tablets ], [MODEL, [VENDOR, ‘RCA’], [TYPE, TABLET]], [
/android.+[;\/\s]+(Venue[\d\s]{2,7})\s+build/i // Dell Venue Tablets /android.+[;\/\s](Venue[\d\s]{2,7})\s+build/i // Dell Venue Tablets ], [MODEL, [VENDOR, ‘Dell’], [TYPE, TABLET]], [
/android.+[;\/]\s*(Q[T|M][\d\w]+)\s+build/i // Verizon Tablet @@ -669,8 +669,8 @@ /android.+[;\/]\s*TU_(1491)\s+build/i // Rotor Tablets ], [MODEL, [VENDOR, ‘Rotor’], [TYPE, TABLET]], [
/android.+(KS(.+))\s+build/i // Amazon Kindle Tablets ], [MODEL, [VENDOR, ‘Amazon’], [TYPE, TABLET]], [ //android.+(KS(.+))\s+build/i // Amazon Kindle Tablets //], [MODEL, [VENDOR, ‘Amazon’], [TYPE, TABLET]], [
/android.+(Gigaset)[\s\-]+(Q\w{1,9})\s+build/i // Gigaset Tablets ], [VENDOR, MODEL, [TYPE, TABLET]], [