Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: vulnerable regex #1222

Closed
davisjam opened this issue Apr 15, 2018 · 5 comments
Closed

security: vulnerable regex #1222

davisjam opened this issue Apr 15, 2018 · 5 comments

Comments

@davisjam
Copy link
Contributor 

(18:57:29) jamie@woody ~/Desktop/floss/marked $ npm run test:redos

> marked@0.3.19 test:redos /home/jamie/Desktop/floss/marked
> eslint --plugin vuln-regex-detector --rule '"vuln-regex-detector/no-vuln-regex": 2' lib/marked.js


/home/jamie/Desktop/floss/marked/lib/marked.js
  557:14  error  Regex pattern vulnerable to catastrophic backtracking: ^!?\[(label)\]\(\s*<?([\s\S]*?)>?(?:\s+(['"][\s\S]*?['"]))?\s*\)  vuln-regex-detector/no-vuln-regex
davisjam added a commit to davisjam/marked that referenced this issue Apr 15, 2018
@davisjam
security: replace vulnerable regex with parser
4717be9 
Problem: link regex was vulnerable
Solution: dedicated parser

Fixes: markedjs#1222
@davisjam davisjam mentioned this issue Apr 15, 2018
Merged
@UziTech
Copy link
Member

UziTech commented Apr 16, 2018

out of curiosity what is the part of this regex that is vulnerable?

@davisjam
Copy link
Contributor Author

The issue is the quantified adjacent whitespaces here: \s*<?[\s\S]*>?\s+. The angle brackets are optional so input including a ton of whitespace can be problematic.

@davisjam davisjam mentioned this issue Apr 16, 2018
Closed
styfle pushed a commit that referenced this issue Apr 17, 2018
@davisjam @styfle
security: replace vulnerable regex with parser (#1223)
5ab4ae3 
* security: replace vulnerable regex with parser

Problem: link regex was vulnerable
Solution: dedicated parser

Fixes: #1222
@UziTech
Copy link
Member

UziTech commented Apr 17, 2018

wouldn't some thing like this solve it?

...\s*(<[\s\S]*?>|[^\s]+)(?:\s+...

no more quantified adjacent whitespaces

@UziTech
Copy link
Member

UziTech commented Apr 17, 2018

and the angle brackets are already being taken out of the url by this line

@davisjam
Copy link
Contributor Author

...\s*(<[\s\S]*?>|[^\s]+)(?:\s+...

This would not solve it, just change the form it took. On malicious input of the form <<...< it would have to decide between the left or right node in the disjunction. Backtracking manifests around 10K <s and gets worse as you increase.

zhenalexfan pushed a commit to zhenalexfan/MarkdownHan that referenced this issue Nov 8, 2021
@davisjam @styfle
security: replace vulnerable regex with parser (markedjs#1223)
4974bf0 
* security: replace vulnerable regex with parser

Problem: link regex was vulnerable
Solution: dedicated parser

Fixes: markedjs#1222
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@UziTech @davisjam