Vulnerable Regular Expression

[cristianstaicu]

The following regular expression used in the "o" formatter is vulnerable to ReDoS:

/\s*\n\s*/

The slowdown is moderately low: for 50.000 characters around 2 seconds matching time. However, I would still suggest one of the following:

• remove the regex,
• anchor the regex,
• limit the number of characters that can be matched by the repetition,
• limit the input size.

If needed, I can provide an actual example showing the slowdown.

[TooTallNate]

Thanks for the report. Patch welcome! The %o formatter by design needs to remove the newlines but any performance optimizations are ❤️ 👍

[fadookie]

@TooTallNate As far as I can tell no security patch for this issue has yet been released for 3.x, is this in the works? Thanks!

[TooTallNate]

@fadookie Yes correct, thanks for the nudge. v3.1.0 has now been published.