Skip to content

Security: Querela/prism

Security

SECURITY.md

Security Policy

What is considered a vulnerability?

There are some types of low-severity vulnerabilities that we will not acknowledge as CVE and treat as bugs instead. All vulnerabilities with a severity of medium and above will of course be acknowledged and fixed.

Please see the below section on how we treat ReDoS vulnerabilities.

If you are unsure whether a vulnerability you found qualifies, please report it as a vulnerability via email (see below).

ReDoS

Prism is a regex-based syntax highlighter. As such, the main types of vulnerabilities reported to us are ReDoS vulnerabilities (CWE-1333), aka slow regexes.

However, not all ReDoS is created equal. A slow regex can be have a worst-case time complexity anywhere from O(n2) to 2O(n). This matters because a worst-case time complexity ≥ O(n3) is a high severity vulnerability while O(n2) is low or medium severity in the context of Prism. Furthermore, worst-case time complexities of O(n2) can have 2 different causes: backtracking or moving. Backtracking is always fixable by rewriting the slow regex but moving is not (except in special cases).

Because of their lower severity and the fact that moving is difficult or impossible to fix, we will treat regexes with worst-case time complexity of O(n2) caused by moving as regular bugs and not as vulnerabilities. Please report them as bugs instead of as vulnerabilities.

If you found a slow regex but are unsure about the worst-case time complexity or its cause, please report it as a vulnerability via email (see below).

Reporting a Vulnerability

DO NOT CREATE AN ISSUE to report a vulnerability.

Instead, please send an email to at least one of Prism's maintainers. See Responsible Disclosure for more details.

Procedure

  1. After you send an email a maintainer, you should receive a response from the Prism team within 3 days.

    We may require further information, so please keep in touch with us until the vulnerability has been fixed.

  2. After the vulnerability has been confirmed and accepted, we will create a security advisory and start working on a fix.

    You will be added as a collaborator (this requires a GitHub account). At this point, all communication will occur using comments on the advisory and the temporary private fork.

  3. After the fix has been merged, we will make a new release and publish the security advisory within one week.

There aren’t any published security advisories