Is react-i18next vulnerable to CVE-2021-23346 ?

[andyedwardsibm]

🐛 Bug Report

Raising as an issue here as I'm not sure this makes sense to ask on SO

• This module uses html-parse-stringify2@^2.0.1.
• CVE-2021-23346 (more info in https://snyk.io/vuln/SNYK-JS-HTMLPARSESTRINGIFY2-1079307) has been raised against that module. It's not clear whether html-parse-stringify2 is still maintained and will ever be fixed (ongoing conversation in Regular Expression Denial of Service possible rayd/html-parse-stringify2#26).
• I think

  react-i18next/src/Trans.js

  Line 136 in 9f80ddc

  const ast = HTML.parse(`<0>${interpolatedString}</0>`);

  is the only place that html-parse-stringify2 is used, where the string to be parsed is explicitly wrapped in <0>${interpolatedString}</0>
• I have not yet managed to find a value for ${interpolatedString} that triggers the ReDoS bug in html-parse-stringify2, and looking at the bug in the RegEx in html-parse-stringify2 I'm pretty sure there isn't one, but would like an official view from the maintainers on whether CVE-2021-23346 is definitely not applicable.

To Reproduce

If you want to see the bug in html-parse-stringify2 then run...

const p = require('html-parse-stringify2')

console.log('parsing')
p.parse("<!'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''!")
console.log('parsed')

This does not complete in a timely manner.

Running the following does complete quickly, but maybe I just can't think of a "bad" input yet.

const p = require('html-parse-stringify2')

console.log('parsing')
p.parse("<0><!'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''!></0>")
console.log('parsed')

Expected behavior

Hopefully you confirm this is not applicable

Your Environment

• runtime version: Node v14
• i18next version: i.e. 14.1.1
• os: Linux

[adrai]

imo, thanks to the <0> wrapping the vulnerability has no effect to react-i18next's Trans component.
Nevertheless, it would be nice, if the html-parse-stringify2 package would be updated.

[mbochynski]

@adrai would it be possible to switch to https://github.com/HenrikJoreteg/html-parse-stringify where this vulnerability has been fixed?

[adrai]

if it includes everything html-parse-stringify2 has, probably yes...
did not check it...
if you like, you can try, execute and maybe extend the tests and make a PR

[japrescott]

@mbochynski it seems that the linked repo is actually the original of html-parse-stringify2. So we should be able to switch to html-parse-stringify

[adrai]

feel free to try a PR

[kachkaev]

I tried fixing this in #1283, but not much luck so far. Are there any alternatives to html-parse-stringify / html-parse-stringify2 we can try?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[kachkaev]

bump

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[alon24]

Are there any news here, I imagine I am not the only one who is suffering from this

[adrai]

@alon24 first of all, there is no real suffering, because this CVE seems not to affect react-i18next at runtime...
Nevertheless, it would be nice if we could also update that dependency... so currently we're waiting for @HenrikJoreteg to check for #1283 (comment)
or for @rayd to check rayd/html-parse-stringify2#27