Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable Regular Expressions #10

Open
cristianstaicu opened this issue Sep 7, 2017 · 9 comments
Open

Vulnerable Regular Expressions #10

cristianstaicu opened this issue Sep 7, 2017 · 9 comments

Comments

@cristianstaicu
Copy link

The following regular expressions used for parsing the dates are vulnerable to ReDoS:

/(\d+)milli(?:second)?[s]?/i
/(\d+)second[s]?/i
...

The slowdown is relatively large when combining the slowdown produced by all the regexs (for 50,000 characters around 10 seconds matching time). I would suggest one of the following:

  • remove the regex,
  • anchor the regex,
  • limit the number of characters that can be matched by the repetition,
  • limit the input size.

If needed, I can provide an actual example showing the slowdown.
@livelifelively livelifelively mentioned this issue Sep 26, 2017
Closed
@ghost1542 ghost1542 mentioned this issue Sep 26, 2017
Open
@reaktivo
Copy link

reaktivo commented Oct 3, 2017

Bump

@marin-liovic
Copy link

Anybody working on this issue? Could you @cristianstaicu create a PR with the fix?

@bennycode
Copy link

This issue got reported to me through the Node Security Platform: https://nodesecurity.io/advisories/533

@asilluron asilluron mentioned this issue Oct 10, 2017
Merged
8 tasks
DanailMinchev added a commit to alphagov/pay-direct-debit-frontend that referenced this issue Nov 17, 2017
@DanailMinchev
PP-2687 Remove "forever"
6272f2f 
We don't need `forever` when running in Amazon EC2 Container Service.

Also, `forever@0.15.3` depends on `timespan` which has "Regular Expression Denial of Service (ReDoS)" vulnerability: https://snyk.io/vuln/npm:timespan:20170907

There is an issue open for `timespan` here: indexzero/TimeSpan.js#10 (not fixed).
DanailMinchev added a commit to alphagov/pay-direct-debit-frontend that referenced this issue Nov 17, 2017
@DanailMinchev
PP-2687 Remove "forever"
04f36a1 
We don't need `forever` when running in Amazon EC2 Container Service.

Also, `forever@0.15.3` depends on `timespan` which has "Regular Expression Denial of Service (ReDoS)" vulnerability: https://snyk.io/vuln/npm:timespan:20170907

There is an issue open for `timespan` here: indexzero/TimeSpan.js#10 (not fixed).
@DanailMinchev DanailMinchev mentioned this issue Nov 17, 2017
Merged
DanailMinchev added a commit to alphagov/pay-products-ui that referenced this issue Nov 17, 2017
@DanailMinchev
Ignore Snyk timespan report - https://snyk.io/vuln/npm:timespan:20170907
3af74ef 


Transitive dependency pulled in by Forever. Vulnerability does not affect us because it requires a specially-crafted input string and Forever only ever uses input from the system clock.

See:
indexzero/TimeSpan.js#10
https://payments-platform.atlassian.net/browse/PP-2687
DanailMinchev added a commit to alphagov/pay-products-ui that referenced this issue Nov 20, 2017
@DanailMinchev
Ignore Snyk timespan report - https://snyk.io/vuln/npm:timespan:20170907
62dde43 


Transitive dependency pulled in by Forever. Vulnerability does not affect us because it requires a specially-crafted input string and Forever only ever uses input from the system clock.

See:
indexzero/TimeSpan.js#10
https://payments-platform.atlassian.net/browse/PP-2687
DanailMinchev added a commit to alphagov/pay-products-ui that referenced this issue Nov 20, 2017
@DanailMinchev
Ignore Snyk timespan report - https://snyk.io/vuln/npm:timespan:20170907
7e61576 


Transitive dependency pulled in by Forever. Vulnerability does not affect us because it requires a specially-crafted input string and Forever only ever uses input from the system clock.

See:
indexzero/TimeSpan.js#10
https://payments-platform.atlassian.net/browse/PP-2687
DanailMinchev added a commit to alphagov/pay-products-ui that referenced this issue Nov 29, 2017
@DanailMinchev
Ignore Snyk timespan report - https://snyk.io/vuln/npm:timespan:20170907
122f1e6 


Transitive dependency pulled in by Forever. Vulnerability does not affect us because it requires a specially-crafted input string and Forever only ever uses input from the system clock.

See:
indexzero/TimeSpan.js#10
https://payments-platform.atlassian.net/browse/PP-2687
DanailMinchev added a commit to alphagov/pay-products-ui that referenced this issue Nov 29, 2017
@DanailMinchev
Ignore Snyk timespan report - https://snyk.io/vuln/npm:timespan:20170907
8b63ee1 


Transitive dependency pulled in by Forever. Vulnerability does not affect us because it requires a specially-crafted input string and Forever only ever uses input from the system clock.

See:
indexzero/TimeSpan.js#10
https://payments-platform.atlassian.net/browse/PP-2687
@maxcbc maxcbc mentioned this issue Dec 4, 2017
Open
DanailMinchev added a commit to alphagov/pay-frontend that referenced this issue Dec 8, 2017
@DanailMinchev
PP-2992 Ignore Snyk timespan report - https://snyk.io/vuln/npm:timesp…
1700ac9 
…an:20170907

Transitive dependency pulled in by Forever. Vulnerability does not affect us because it requires a specially-crafted input string and Forever only ever uses input from the system clock.

See:
indexzero/TimeSpan.js#10
https://payments-platform.atlassian.net/browse/PP-2687
@johnjbarton johnjbarton mentioned this issue Mar 1, 2018
Closed
@hansl hansl mentioned this issue Mar 1, 2018
Closed
@Retro64
Copy link

Retro64 commented May 7, 2018

Any estimation, when this will be tackled or fixed? @indexzero @mstum

@eruby94
Copy link

eruby94 commented May 8, 2018

Also wondering when this will be fixed...

@ghost
Copy link

ghost commented May 8, 2018

The npm 6 tells users about vulnerabilities. Hopefully this gets fixed before that's released with node.

@lightheaded
Copy link

Bump. Would really like not getting security vulnerability warnings in the console :)

@mstum
Copy link

mstum commented Sep 8, 2018

Just a heads up, I'm not involved in this fork, so I don't know anything more here.

@mufeedvh mufeedvh mentioned this issue Aug 9, 2020
Merged
@huntr-helper
Copy link

‎‍🛠️ A fix has been provided for this issue. Please reference: 418sec#1

🔥 This fix has been provided through the https://huntr.dev/ bug bounty platform.

@huntr-helper huntr-helper mentioned this issue Aug 14, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@reaktivo @mstum @bennycode @cristianstaicu @lightheaded @marin-liovic @Retro64 @eruby94 @huntr-helper