-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Email Regex Vulnerable to ReDoS attack #2609
Comments
I might just be stupid, but this might be an example: github.com/colinhacks/zod/issues/2580#issue-1805042689 |
I've checked all other regexes and it seems like they are safe. Actually the latest codebase has emailRegex already changed in #2157, though the new regex is unsafe as well... There is a proposal to use HTML input regex in comments #2157 (comment) and I used it as a solution while zod doesn't have safe email regex. Just change |
Thank you! 👍 |
Should I close, and if so, should I close as "completed" or "not planned"? |
We run into this problem in production and confirmed the problem by adding Here's a few (rudimentary) benchmarks I ran using the format above with varying lengths:
|
This is the cause of a SNYK issue now https://security.snyk.io/vuln/SNYK-JS-ZOD-5925617 so probably means this should be fixed as it will effect many projects. We will be looking to create a custom schema for now using Edit: using |
adapted the regex above slightly to exclude emails containing |
Thank you! |
Sorry but this report and this organization as a whole is just as reliable / trustworthy as your local spam mail operator. Even if there is a vulnerability as is described here, the report does not specify any relation to zod whatsoever. |
Please see the PR #2824 by @MacsDickinson - this explains (and fixes) the issue in more detail. Regardless of how reliable / trustworthy the Snyk report is, #2824 demonstrates the inefficiency in the email regex currently being used within zod. |
Indeed, and thanks @MacsDickinson for working on it. My issue is that this organization repeatedly published reports about packages that contain insufficient or wrong information and often enough then become stale, spreading misinformation and making it hard to convince users an issue is fixed / does not exist. |
In this instance the Snyk vulnerability was spot on and I was able to replicate using the info in the CVE. |
A long time ago our security researcher found this problem and we were not notified by you. As a security company we did not open a public ticket for a security breach, but we did send you an email. So we issued a due advisory as per our security policy: |
My bad...? |
Email Regex Vulnerable to ReDoS attack
The problem
When trying to develop authentication in my new application, I decided to use Zod for (part of) my validation checking.
I always check for vulnerabilities, and I know that ReDoS (Regular Expression Denial of Service) is a primarily common vulnerability. I knew Zod must use regex to validate
z.string().email()
. So, I checked the source code. I found (on my local machine,./node_modules/zod/lib/types.js
had a vulnerable regex.On line 324 it has the following code:
I copied the regular expression and checked if it was vulnerable to a ReDoS attack. I went to the most recommended ReDoS checker, recheck. This is what I found:
The other regexes
I have not checked any other regexes, but there are multiple others, but I will paste the code for anyone who would like to check. This starts in the same file previously mentioned but on line 320.
Please let me know of any way that I can help
The text was updated successfully, but these errors were encountered: