Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential catastrophic backtracking #10002

Closed
davisjam opened this issue Feb 22, 2018 · 4 comments · Fixed by Urigo/tortilla#62, mono-js/mono-doc#4, mono-js/mono-notifications#5, mono-js/mono-mail#5 or mono-js/mono#8
Closed

Potential catastrophic backtracking #10002

davisjam opened this issue Feb 22, 2018 · 4 comments · Fixed by Urigo/tortilla#62, mono-js/mono-doc#4, mono-js/mono-notifications#5, mono-js/mono-mail#5 or mono-js/mono#8
Labels
accepted There is consensus among the team that this change meets the criteria for inclusion archived due to age This issue has been archived; please open a new issue for any further discussion bug ESLint is working incorrectly core Relates to ESLint's core APIs and features

Comments

@davisjam
Copy link
Contributor

One of the regexes in eslint is vulnerable to catastrophic backtracking.

@nzakas says this isn't a problem as used in eslint:

Oh yeah, that’s basically just used to insert data into placeholders for our error messages. So we can have a message like this:

“Expected {{count}} spaces.”

And be able to insert a value for “count” without doing string concatenation.

We did this in order to avoid pulling in a whole library like Mustache. Given that there are whole templating libraries on the server, I can’t imagine why someone would want to use this.

Perhaps a comment to warn future copy/pasters might be in order, however.

Here's a description of the problematic pattern and an attack string.

{
"pattern" : "\{\{\s*([^{}]+?)\s*\}\}",
"nPumpsFor10Sec" : "48325",
"filesIn" : [
[
"lib/util/interpolate.js"
]
],
"blowupCurve" : {
"r2" : 0.996141596724248,
"parms" : [
3.10391182858704e-08,
1.82075786106333
],
"type" : "POWER"
},
"attackFormat" : {
"suffix" : "{\t{",
"pumpPairs" : [
{
"pump" : "a",
"prefix" : "{{\t"
},
{
"pump" : "\t",
"prefix" : "a"
}
]
},
"stringLenFor10Sec" : 96657
}
@eslint-deprecated eslint-deprecated bot added the triage An ESLint team member will look at this issue soon label Feb 22, 2018
@ljharb
Copy link
Contributor

ljharb commented Feb 22, 2018

Since this would have to be caused by a malicious rule, and the "victim" of the attack would have to enable the rule (or the shared config providing it) themselves, this doesn't seem worrying at all.

@davisjam
Copy link
Contributor Author

Agreed, not a problem as currently used in eslint. But since people like to copy/paste regexes, thought I would let you know about it.

@platinumazure
Copy link
Member

Can the regex be improved to prevent catastrophic backtracking without changing the function at all? If so, I would love to see a pull request.

If not, though, I agree that this isn't worth worrying about.

davisjam added a commit to davisjam/eslint that referenced this issue Feb 24, 2018
@davisjam
security: fix catastrophic backtracking vulnerability
42ebc8c 
Change template substitution regex to exclude fields with whitespace.
This addresses possible O(n^2) catastrophic backtracking behavior.

Very unlikely to be exploited. For eslint#10002.
@davisjam davisjam mentioned this issue Feb 24, 2018
Merged
@davisjam
Copy link
Contributor Author

Sure. See #10019.

davisjam added a commit to davisjam/eslint that referenced this issue Feb 24, 2018
@davisjam
Fix: remove catastrophic backtracking vulnerability
7499205 
Change template substitution regex to exclude fields with whitespace.
This addresses possible O(n^2) catastrophic backtracking behavior.

Very unlikely to be exploited. For eslint#10002.
davisjam added a commit to davisjam/eslint that referenced this issue Feb 24, 2018
@davisjam
Fix: remove catastrophic backtracking vulnerability
58ad0af 
Change template substitution regex to exclude fields with whitespace.
This addresses possible O(n^2) catastrophic backtracking behavior.

Very unlikely to be exploited. For eslint#10002.
@not-an-aardvark not-an-aardvark added bug ESLint is working incorrectly core Relates to ESLint's core APIs and features accepted There is consensus among the team that this change meets the criteria for inclusion and removed triage An ESLint team member will look at this issue soon labels Feb 25, 2018
This was referenced Mar 2, 2018
Merged
Closed
Closed
Closed
Merged
Merged
Closed
Merged
Closed
Closed
Merged
Merged
Merged
This was referenced Mar 16, 2018
Closed
Closed
Closed
This was referenced Mar 22, 2018
Open
Closed
Merged
Closed
Closed
Closed
Merged
Merged
Closed
Open
Closed
Closed
Merged
Closed
Closed
Merged
Merged
Closed
Closed
Closed
Closed
Open
Open
Closed
Closed
Open
Merged
@renovate renovate bot mentioned this issue Mar 23, 2018
Merged
@eslint-deprecated eslint-deprecated bot locked and limited conversation to collaborators Aug 28, 2018
@eslint-deprecated eslint-deprecated bot added the archived due to age This issue has been archived; please open a new issue for any further discussion label Aug 28, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
accepted There is consensus among the team that this change meets the criteria for inclusion archived due to age This issue has been archived; please open a new issue for any further discussion bug ESLint is working incorrectly core Relates to ESLint's core APIs and features
Projects
None yet
Milestone
No milestone
4 participants
@ljharb @platinumazure @not-an-aardvark @davisjam