fix the regular expression for function clean in utils.js

[yetingli]

Description of the Change

Fix the regular expression for function clean in utils.js to avoid potential Regular Expression Denial of Service (ReDoS) vulnerabilities.

Alternate Designs

The ReDoS vulnerabilities of the regex /^function(?:\s*|\s+[^(]*)\([^)]*\)\s*\{((?:.|\n)*?)\s*\}$|^\([^)]*\)\s*=>\s*(?:\{((?:.|\n)*?)\s*\}|((?:.|\n)*))$/ are mainly due to the overlapped sub-patterns \s+[^(]* and ((?:.|\n)*?)\s*.
We can ignore \s first, because in the end, we can also deal with \s using the trim function (see the code below）

mocha/lib/utils.js

Line 92 in 8421974

return str.trim();

So I am willing to suggest that you replace the ReDoS-vulnerable regex /^function(?:\s*|\s+[^(]*)\([^)]*\)\s*\{((?:.|\n)*?)\s*\}$|^\([^)]*\)\s*=>\s*(?:\{((?:.|\n)*?)\s*\}|((?:.|\n)*))$/ with the safe regex /^function(?:\s*|\s[^(]*)\([^)]*\)\s*\{((?:.|\n)*?)\}$|^\([^)]*\)\s*=>\s*(?:\{((?:.|\n)*?)\}|((?:.|\n)*))$/

Benefits

It achieves functional equivalence and is not subject to ReDoS attacks.

Applicable issues

See the link https://www.huntr.dev/bounties/1d8a3d95-d199-4129-a6ad-8eafe5e77b9e/

[psmoros]

hey @boneskull someone from the team asked @yetingli to open a PR with a security fix; do you guys plan on merging it sometime soon?

[github-actions]

This PR hasn't had any recent activity, and I'm labeling it stale. Remove the label or comment or this PR will be closed in 14 days. Thanks for contributing to Mocha!

[ewrayjohnson]

I am voting for this to be merged ASAP.

[yetingli]

Reported in huntr https://www.huntr.dev/bounties/1d8a3d95-d199-4129-a6ad-8eafe5e77b9e/

Please mark as valid and confirm fix in huntr once it's merged, so that I will get rewarded for their efforts!
Thanks! cc @psmoros

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: yetingli / name: Yeting Li (b9456e9, 2a3005c)

[coveralls]

Coverage decreased (-0.1%) to 94.326% when pulling 2a3005c on yetingli:master into 111467f on mochajs:master.

[outsideris]

@yetingli We missed it. Sorry for the late response.
Can you sign the CLA?
I confirmed this ReDos vulnerability and addressed it with this fix.

@mochajs/core I will merge this in a few days after CLA.
Because mocha is a test framework, ReDoS is not very likely in a production environment, but it needs to be fixed.

After merging this PR, I will add a test for ReDos.

[outsideris]

#4909

[outsideris]

LGTM

[yetingli]

Hi @outsideris, thank you for your response! And I have signed the CLA.

Please mark as valid and confirm fix in huntr (https://www.huntr.dev/bounties/1d8a3d95-d199-4129-a6ad-8eafe5e77b9e/) once it's merged, so that I will get rewarded for their efforts!
Thanks! cc @psmoros

[outsideris]

@yetingli Okay, It's my first time using Huntr. I will try it after merging this.

[sauravlikhar]

Which mocha version has this fix? 10.0.0 is still giving the same issue.

[heidemn-faro]

@outsideris sorry to bother, but can a new version be published with this fix? Our security tools are complaining...

[Banhawy]

@sauravlikhar @heidemn-faro the fix is now published in version 10.1.0

[rahulankit30]

is it fixed??? 10.2.0 is still giving this error