-
Notifications
You must be signed in to change notification settings - Fork 235
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerable Regular Expressions #212
Comments
Could you please elaborate on the fix, I'm curious. Thank you! |
Sorry, that was a standard comment I sent around. In this case it would not work! The anchoring solution is well suited when the regex is used for validation purposes. Let us say you want to check an input string is an email address. Instead of having a simple regex like: /[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]/ you should have something like: /^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]$/ Word bounadries can also be used as explained here: This will decrease the complexity of the matching since the engine will only try to match the regex once, not n (length of input string) times like in the case of the first regex. |
Thanks for the explanation! I hope this gets fixed soon, it's giving my package red lights :( |
This issue now seems to being picked up by an |
Just wondering why it is a problem? For example, the string "underscore" algorithm could be a very complex one and may need lots of seconds to process a 50,000 characters long string. |
I recommend the following two articles for understanding the issue: Basically, the problem comes from the fact that the regex matching is done in the main loop of Node.js and thus blocking this loop for 2 seconds is equivalent to blocking all the incoming requests for 2 seconds. |
Thanks for the info. The example in the first link is a classic evil regex and it can be written in a more efficient way. The regex used in the "underscore" case is fine: /([A-Z\d]+)([A-Z][a-z])/g , which may not incur much performance penalty compared to an alternative implementation. I understand the impact of slowing regex matching to an application. My point is that if a regular expression is used correctly, then it is not a problem to be slow. |
For posterity, Snyk also reports it: I'm looking forward to solution. The html-stripping features, for example, at the competition are very poor and I can't find the alternative for |
Hey there! I haven't looked too closely at this issue but it was linked by @revelt above. I'd definitely suggest using the In the README I link to two articles, one indicating the regular expressions are not safe for removing dangerous HTML (here), and the second demonstrating that PHP's https://github.com/ericnorris/striptags take a look to see if that works for you - it uses a state machine very similar to the one that is in the PHP internals instead of a regular expression. As a result it is super fast and just as secure! |
This is a critical issue. The author and the contributors don't seem to care at all. Kill this project with fire. |
@Steve come on, it's not that bad :) team is just regrouping, I'm sure guys will fix that eventually |
…used so little there is no need for the extra dependency in Swagger-tools. Source: CERT Name: https://nodesecurity.io/advisories/536 Url: https://nodesecurity.io/advisories/536 Source: CERT Name: jprichardson/string.js#212 Url: jprichardson/string.js#212
…used so little there is no need for the extra dependency in Swagger-tools. Source: CERT Name: https://nodesecurity.io/advisories/536 Url: https://nodesecurity.io/advisories/536 Source: CERT Name: jprichardson/string.js#212 Url: jprichardson/string.js#212
@jprichardson, string.js is a nice library and I would prefer to continue using it; however, such a vulnerability isn't something that can be used in production. Are you aware of this issue or has the project been abandoned as the last update was about 11 months ago? |
#542) * Remove stringjs dependency due to vulnerability in string 3.3. It is used so little there is no need for the extra dependency in Swagger-tools. Source: CERT Name: https://nodesecurity.io/advisories/536 Url: https://nodesecurity.io/advisories/536 Source: CERT Name: jprichardson/string.js#212 Url: jprichardson/string.js#212 * Suggested changes.
@nconf-base I think now, because if you have As far as my stuff is concerned, I already replaced every I'm thinking, it can't be that all the methods of |
@revelt, I think you are correct the issue only affects a couple of the methods, specifically I think your idea of decomposing the larger string.js library into smaller pieces might help those who use the library without those particular methods. Splitting out the problem methods on a fork might be a start. How does your strip tags method differ from https://github.com/ericnorris/striptags that eric pointed out? |
@nconf-base it's assuming too much what results in bunch of false positives. I just scratched the surface with that issue, many of my unit tests fail because of For the record, |
@revelt, I'm not sure I would agree that Leaving If the input is "safe", then @nconf-base I would strongly suggest using |
@ericnorris I see your point. Basically, there are two kinds of HTML-stripping cases and we both are proponents of each. My case is Detergent.js, email text copy cleaning app - HTML can come in the input, there is high risk of false positives, but zero chance of rogue code being executed and code if does come, it comes unescaped. This way, code Your case is a regular web-dev ops where you clean HTML in order to defuse potentially malicious code. Prioritising security over risk of false positives. All code assumed to be escaped and unescaped-one a no-no.
Do you see my point? |
@revelt that's not tending both sides. Edit: If you refer to the use case of stripping first and then replacing any remaining |
@Jonast Yes, you are right, it's not safe and not valid in HTML. But... Detergent accepts both HTML and pure text and outputs text with sprinkled HTML or without. There is a thin path in here where Since user pastes the copy into Detergent, input is assumed to be safe, so I see no problems letting them output unencoded Having said that, I'm about to publish my type of HTML stripping tool which behaves like that. |
@az7arul Are you currently maintaining this or who is in charge here? |
Hi @StorytellerCZ, I wasn't maintaining this for a while. But for this I can take a look this weekend, meanwhile any PR that address this is welcome. |
// This function converts a binary string (can be HTML or JavaScript) to a safe string that can be used in a HTML file within JavaScript tags. // This function converts a Js safe string with quotation marks around it to its original source. It's the opposite of EncodeHTML() |
Oops. I just noticed that the above code didn't come out right. I should have put that code within CODE section, not as plain text, because the double backslash characters have been replaced with single. :/ |
Hello, any news about this ? |
@az7arul, thank you for looking into this. We have |
@ankurloriya No, the all-in-one monolithic replacement doesn't exist. But you can replace its methods one-by-one with libraries from npm. For example, I replaced Performance-wise, switching from monolithic |
String package have a vulnerability and was little used in project jprichardson/string.js#212
We changed to using various other libraries due to this security issue. Appears the project may be abandoned with #218 the http://stringjs.com/ domain apparently going away. Sad, it was a good library to have a lot of useful tools in one place. Hopefully it gets turned around for people. We just couldn't wait any longer for the security issue to be resolved. Cheers. |
We use string@3.3.3 to generate our header id. string@3.3.3 is reported to be unsafe and contains vulnerabilities [1]. As a step towards removing string@3.3.3 as a dependencies, let's replace all usage of the 'string' methods with suitable equivalents. [1] - jprichardson/string.js#212
We no longer use string@3.3.3 in our codebase. string@3.3.3 is reported to be unsafe and contains vulnerabilities [1]. Let's remove string@3.3.3 as one of our dependencies. [1] - jprichardson/string.js#212
We use string@3.3.3 to generate our header id. string@3.3.3 is reported to be unsafe and contains vulnerabilities [1]. As a step towards removing string@3.3.3 as a dependencies, let's replace all usage of the 'string' methods with suitable equivalents. [1] - jprichardson/string.js#212
We no longer use string@3.3.3 in our codebase. string@3.3.3 is reported to be unsafe and contains vulnerabilities [1]. Let's remove string@3.3.3 as one of our dependencies. [1] - jprichardson/string.js#212
markdown-it-anchor@4.0.0 uses string@3.3.3. string@3.3.3 is reported to be unsafe and contains vulnerabilities [1]. It is also no longer in use in markdown-it-anchor@5.0.0. Let's upgrade markdown-it-anchor, so that it no longer uses string@3.3.3. [1] - jprichardson/string.js#212
markdown-it-table-of-contents@0.3.2 uses string@3.3.3. string@3.3.3 is reported to be unsafe and contains vulnerabilities [1]. It is also no longer in use in markdown-it-table-of-contents@0.4.0. Let's upgrade markdown-it-table-of-contents, so that it no longer uses string@3.3.3. [1] - jprichardson/string.js#212
We no longer use string@3.3.3 in our codebase. string@3.3.3 is reported to be unsafe and contains vulnerabilities [1]. Let's remove string@3.3.3 as one of our dependencies. [1] - jprichardson/string.js#212
We no longer use string@3.3.3 in our codebase. string@3.3.3 is reported to be unsafe and contains vulnerabilities [1]. Let's remove string@3.3.3 as one of our dependencies. [1] - jprichardson/string.js#212
We no longer use string@3.3.3 in our codebase. string@3.3.3 is reported to be unsafe and contains vulnerabilities [1]. Let's remove string@3.3.3 as one of our dependencies. [1] - jprichardson/string.js#212
The following regular expressions used in underscore and unescapeHTML methods are vulnerable to ReDoS:
The slowdown is moderately low (for 50,000 characters around 2 seconds matching time). I would suggest one of the following:
If needed, I can provide an actual example showing the slowdown.
The text was updated successfully, but these errors were encountered: