Skip to content

Commit

Permalink
fixed regexes to avoid ReDoS attacks
Browse files Browse the repository at this point in the history
  • Loading branch information
jeffrey-pinyan-ithreat committed May 13, 2021
1 parent 5d23c14 commit 09e1086
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 3 deletions.
1 change: 1 addition & 0 deletions .npmignore
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
.travis.yml
redos.js
test.js
6 changes: 3 additions & 3 deletions index.js
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,11 @@ var isWindows = process.platform === 'win32';
// Regex to split a windows path into three parts: [*, device, slash,
// tail] windows-only
var splitDeviceRe =
/^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?([\s\S]*?)$/;
/^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s;

// Regex to split the tail part of the above into [*, dir, basename, ext]
var splitTailRe =
/^([\s\S]*?)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/;
/^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/;

var win32 = {};

Expand Down Expand Up @@ -51,7 +51,7 @@ win32.parse = function(pathString) {
// Split a filename into [root, dir, basename, ext], unix version
// 'root' is just a slash, or nothing.
var splitPathRe =
/^(\/?|)([\s\S]*?)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/;
/^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/;
var posix = {};


Expand Down
20 changes: 20 additions & 0 deletions redos.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
var pathParse = require('.');

function build_attack(n) {
var ret = ""
for (var i = 0; i < n; i++) {
ret += "/"
}
return ret + "◎";
}

for(var i = 1; i <= 5000000; i++) {
if (i % 10000 == 0) {
var time = Date.now();
var attack_str = build_attack(i)
pathParse.posix(attack_str);
pathParse.win32(attack_str);
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}

0 comments on commit 09e1086

Please sign in to comment.