Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

util: expose stripVTControlCharacters() #40214

Merged
merged 2 commits into from
Oct 2, 2021
Merged

util: expose stripVTControlCharacters() #40214

merged 2 commits into from
Oct 2, 2021

Conversation

cjihrig
Copy link
Contributor

@cjihrig cjihrig commented Sep 25, 2021

This PR exposes the existing stripVTControlCharacters() method with docs and some additional input validation. It also improves the regex used by the function.

@nodejs-github-bot nodejs-github-bot added needs-ci PRs that need a full CI run. util Issues and PRs related to the built-in util module. labels Sep 25, 2021
mcollina
mcollina approved these changes Sep 27, 2021
View reviewed changes
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@cjihrig cjihrig added request-ci Add this label to start a Jenkins CI on a PR. and removed needs-ci PRs that need a full CI run. labels Oct 2, 2021
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Oct 2, 2021
edited by cjihrig
Loading

CI: https://ci.nodejs.org/job/node-test-pull-request/40124/ 💛

@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Oct 2, 2021
@nodejs nodejs deleted a comment from nodejs-github-bot Oct 2, 2021
@cjihrig cjihrig added the semver-minor PRs that contain new features and should be released in the next minor version. label Oct 2, 2021
@cjihrig
util: expose stripVTControlCharacters()
396b14b 
This commit exposes the existing stripVTControlCharacters()
method with docs and some additional input validation.

PR-URL: nodejs#40214
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@cjihrig
util: improve ansi escape code regex
606bb52 
PR-URL: nodejs#40214
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@cjihrig cjihrig merged commit 606bb52 into nodejs:master Oct 2, 2021
@cjihrig cjihrig deleted the strip-ansi branch October 2, 2021 02:59
@cjihrig
Copy link
Contributor Author

cjihrig commented Oct 2, 2021

Landed in 396b14b and 606bb52.

targos pushed a commit that referenced this pull request Oct 4, 2021
@cjihrig @targos
util: expose stripVTControlCharacters()
f4164fa 
This commit exposes the existing stripVTControlCharacters()
method with docs and some additional input validation.

PR-URL: #40214
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
targos pushed a commit that referenced this pull request Oct 4, 2021
@cjihrig @targos
util: improve ansi escape code regex
66d3101 
PR-URL: #40214
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@danielleadams danielleadams mentioned this pull request Oct 4, 2021
Merged
@thoger
Copy link

thoger commented Oct 13, 2021

The regex improvement change (606bb52 / 66d3101) is actually a port of the ansi-regex fix for the CVE-2021-3807 regular expression DoS (ReDoS) issue. References for the fix in ansi-regex:

chalk/ansi-regex#37
chalk/ansi-regex@8d1d7cd

Are there any plans to apply this fix to 14 and 12 as well?

@mcollina
Copy link
Member

This regexp was not exposed prior to this PR and not exploitable.

@thoger
Copy link

thoger commented Oct 13, 2021

While stripVTControlCharacters() wasn't previously exposed directly (not counting uses with --expose-internals), it is used by getStringWidth(), which is used by other modules - readline, cli_table, source_map. I've not reviewed all these cases, only managed to trigger the regex via readline's rl.write(), just make it write the attack_str as used in the original reproducer: chalk/ansi-regex#37 (comment)

I'm not aware of any real world use case practically exploitable via this issue.

@thoger
Copy link

thoger commented Oct 13, 2021

readline reproducer:

const readline = require('readline');
const rl = readline.createInterface({
	input: process.stdin,
	output: process.stdout,
});

for(var i = 1; i <= 5; i++) {
	var time = Date.now();
	var attack_str = "\u001B["+";".repeat(i*10000);
	rl.write(attack_str);
	var time_cost = Date.now() - time;
	console.log("_attack_str.length: " + attack_str.length + ", time: " + time_cost + " ms")
}

rl.close()

@mcollina
Copy link
Member

Readline is a developer utility. This is not going to cause a DoS attack.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@VoltrexKeyva VoltrexKeyva VoltrexKeyva left review comments

@Mesteery Mesteery Mesteery left review comments

@BridgeAR BridgeAR BridgeAR approved these changes

@JungMinu JungMinu JungMinu approved these changes

@jasnell jasnell jasnell approved these changes

@mcollina mcollina mcollina approved these changes

Assignees
No one assigned
Labels
semver-minor PRs that contain new features and should be released in the next minor version. util Issues and PRs related to the built-in util module.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@cjihrig @nodejs-github-bot @thoger @mcollina @jasnell @JungMinu @BridgeAR @Mesteery @VoltrexKeyva