[Security advisory]: Prevent ReDoS Vulnerability in Authorization Header Redaction #492

ShiyuBanzhou · 2025-02-09T12:03:55Z

What happened?

My security advisor url is here:GHSA-xx4v-prfh-6cgc
Resolves: #Solution

Versions

@octokit/request-error >=v1.0.0

Relevant log output

Code of Conduct

I agree to follow this project's Code of Conduct

github-actions · 2025-02-09T12:04:04Z

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

wolfy1339 · 2025-02-09T13:44:45Z

Please do not post security vulnerabilities publicly. Please follow the proper disclosure process at
https://github.com/github/.github/blob/main/SECURITY.md#reporting-security-issues

ShiyuBanzhou · 2025-02-09T14:39:56Z

Hello @wolfy1339 ,
I understand your point, so all the links I provided above are private and can only be viewed by your team. The reason I submitted a public issue is that two weeks ago, I had already submitted a related issue in your other project’s endpoint, but it has not yet been addressed. I mistakenly thought that submitting a public issue would serve as a reminder for you to handle it promptly. I apologize if this caused any inconvenience or gave the impression of rushing you, that was never my intention. If you have any concerns, please feel free to contact me. My only goal is to help make your project more robust and secure. I look forward to hearing from you, and it would be greatly appreciated if you could let me know when the issue might be resolved. In fact, I’ve already sent a notification to the designated email following the security notice, but I haven’t received any response yet, and it’s been a month.
Thank you for your understanding, and I look forward to your reply.

wolfy1339 · 2025-02-13T18:00:14Z

🎉 This issue has been resolved in version 6.1.7 🎉

The release is available on:

Your semantic-release bot 📦🚀

ShiyuBanzhou added Status: Triage This is being looked at and prioritized Type: Bug Something isn't working as documented labels Feb 9, 2025

octokitbot added this to 🧰 Octokit Active Feb 9, 2025

github-project-automation bot moved this to 🆕 Triage in 🧰 Octokit Active Feb 9, 2025

wolfy1339 closed this as completed Feb 13, 2025

github-project-automation bot moved this from 🆕 Triage to ✅ Done in 🧰 Octokit Active Feb 13, 2025

kfcampbell removed this from 🧰 Octokit Active Feb 14, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security advisory]: Prevent ReDoS Vulnerability in Authorization Header Redaction #492

[Security advisory]: Prevent ReDoS Vulnerability in Authorization Header Redaction #492

ShiyuBanzhou commented Feb 9, 2025

github-actions bot commented Feb 9, 2025

wolfy1339 commented Feb 9, 2025

ShiyuBanzhou commented Feb 9, 2025

wolfy1339 commented Feb 13, 2025

[Security advisory]: Prevent ReDoS Vulnerability in Authorization Header Redaction #492

[Security advisory]: Prevent ReDoS Vulnerability in Authorization Header Redaction #492

Comments

ShiyuBanzhou commented Feb 9, 2025

What happened?

Versions

Relevant log output

Code of Conduct

github-actions bot commented Feb 9, 2025

wolfy1339 commented Feb 9, 2025

ShiyuBanzhou commented Feb 9, 2025

wolfy1339 commented Feb 13, 2025