Skip to content

Commit

Permalink
fix(decimal128): add basic guard against REDOS attacks
Browse files Browse the repository at this point in the history
This is a naive approach to reducing the efficacy of a REDOS attack
against this module. A refactor of the regular expression or a
custom parser substitute would be ideal, however this solution
suffices as a stopgap until such work is completed.

Many thanks to James Davis who graciously alterted us to the
attack
  • Loading branch information
mbroadst committed Feb 26, 2018
1 parent e403bd9 commit bd61c45
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions lib/bson/decimal128.js
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,13 @@ Decimal128.fromString = function(string) {
// Trim the string
string = string.trim();

// Naively prevent against REDOS attacks.
// TODO: implementing a custom parsing for this, or refactoring the regex would yield
// further gains.
if (string.length >= 7000) {
throw new Error('' + string + ' not a valid Decimal128 string');
}

// Results
var stringMatch = string.match(PARSE_STRING_REGEXP);
var infMatch = string.match(PARSE_INF_REGEXP);
Expand Down

0 comments on commit bd61c45

Please sign in to comment.