Skip to content

fixed regexes to avoid ReDoS attacks #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 25, 2021
Merged

fixed regexes to avoid ReDoS attacks #10

merged 2 commits into from
May 25, 2021
+38 −35

Conversation

@jeffrey-pinyan-ithreat
Copy link
Contributor

@jeffrey-pinyan-ithreat jeffrey-pinyan-ithreat commented May 13, 2021

Replaces [\s\S]*? with less explosive alternatives.

@jeffrey-pinyan-ithreat jeffrey-pinyan-ithreat mentioned this pull request May 17, 2021
Closed
wickedest
wickedest reviewed May 20, 2021
View reviewed changes
index.js
// 'root' is just a slash, or nothing.
var splitPathRe =
/^(\/?|)([\s\S]*?)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/;
/^((\/?)(?:[^\/]*\/)*)((\.{1,2}|[^\/]+?|)(\.[^.\/]*|))[\/]*$/;
Copy link

@wickedest wickedest May 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These look like breaking changes to me, and I am not entirely sure if this fixes the DoS. I did a little work on this issue. It is tempting to fix the groups, the whitespace (\s\S), etc., but I found that the existing unit tests were incomplete (even if some are unrealistic).

I found that these tests needed to be added:

var regexDosFileNameLength = 50000;
var regexDosFileName = Buffer.alloc(regexDosFileNameLength, '/').toString() + 'file.txt';

[{ root: '/', dir: '/home/user/dir', base: 'file.txt', ext: '.txt', name: 'file' }, '/home/user/dir/file.txt/'],
[{ root: '/', dir: '/\n\thome/user/dir', base: 'file.txt', ext: '.txt', name: 'file' }, '/\n\thome/user/dir/file.txt/'],
[{ root: '/', dir: '/////////', base: 'file.txt', ext: '.txt', name: 'file' }, '//////////file.txt'],
[{ root: '/', dir: '/', base: '', ext: '', name: '' }, '//////////'],
[{ root: '/', dir: Buffer.alloc(regexDosFileNameLength - 1, '/').toString(), base: 'file.txt', ext: '.txt', name: 'file' }, regexDosFileName],
 ];

If you want these to be breaking changes, then fine. The regexDosFileNameLength is specifically to test the regex DoS.

Copy link
Contributor Author

@jeffrey-pinyan-ithreat jeffrey-pinyan-ithreat May 20, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can pass those tests with

var splitPathRe =
  /^((\/?)(?:[^\/]*\/)*)((\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:(?<=^\/)|(?<!\/))[\/]*$/;`

return {
  // ...
  dir: allParts[0] === '/' ? allparts[0] : allParts[0].slice(0, -1),
  // ...
}

But as thrilling as it is to have a single regex handling the parsing, it'd be much wiser to clean up the parameter (e.g. by stripping trailing slashes, while retaining a leading slash) and keeping the regex simple.

And as for avoiding the ReDoS, my testing shows a significant improvement:

attack_str.length: 1970001: 332 ms
attack_str.length: 1980001: 359 ms
attack_str.length: 1990001: 385 ms
attack_str.length: 2000001: 295 ms

@jbgutierrez jbgutierrez merged commit eca63a7 into jbgutierrez:master May 25, 2021
This was referenced Jul 20, 2021
Merged
Merged
@debricked debricked bot mentioned this pull request Aug 9, 2021
Open
This was referenced Aug 31, 2021
Open
Closed
Closed
Merged
Open
Closed
@debricked debricked bot mentioned this pull request Oct 22, 2021
Closed
@yanokwa yanokwa mentioned this pull request Oct 27, 2021
Merged
This was referenced Nov 15, 2021
Open
Merged
immense055
immense055 reviewed Apr 13, 2022
View reviewed changes
Copy link

@immense055 immense055 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.npmignore

immense055
immense055 reviewed Apr 13, 2022
View reviewed changes
Copy link

@immense055 immense055 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.npmignore

@immense055
Copy link

immense055 commented Apr 13, 2022

09e1086

@debricked debricked bot mentioned this pull request May 14, 2022
Closed
@CMaheshBL CMaheshBL mentioned this pull request May 6, 2022
Open
@cx-svetlana-shur cx-svetlana-shur mentioned this pull request May 16, 2022
Open
@debricked-staging debricked-staging bot mentioned this pull request Sep 12, 2022
Open
@debricked debricked bot mentioned this pull request Nov 14, 2022
Open
@sloanelybutsurely sloanelybutsurely mentioned this pull request May 31, 2024
Closed
@pratheeshrussell-qb pratheeshrussell-qb mentioned this pull request Feb 20, 2025
Closed
@pratheeshrussell-qb pratheeshrussell-qb mentioned this pull request Apr 7, 2025
Closed
@github-actions github-actions bot mentioned this pull request Apr 7, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@wickedest wickedest wickedest left review comments

@immense055 immense055 immense055 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jeffrey-pinyan-ithreat @immense055 @wickedest @jbgutierrez