Skip to content
This repository has been archived by the owner on Dec 19, 2023. It is now read-only.

Fixed ReDoS (Regex Denial of Service) #1

Merged
merged 1 commit into from Aug 25, 2020
Merged

Fixed ReDoS (Regex Denial of Service) #1

merged 1 commit into from Aug 25, 2020

Conversation

mufeedvh
Copy link

馃搳 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-maven-url-regex

鈿欙笍 Description *

The project url-regex was validating URLs with a regex vulnerable to ReDoS (Regex Denial of Service) with RegExp().

馃捇 Technical Description *

The implemented Regex patterns to validate URLs are vulnerable to ReDoS:

const protocol = `(?:(?:[a-z]+:)?//)${options.strict ? '' : '?'}`;
const auth = '(?:\\S+(?::\\S*)?@)?';
const ip = ipRegex.v4().source;
const host = '(?:(?:[a-z\\u00a1-\\uffff0-9][-_]*)*[a-z\\u00a1-\\uffff0-9]+)';
const domain = '(?:\\.(?:[a-z\\u00a1-\\uffff0-9]-*)*[a-z\\u00a1-\\uffff0-9]+)*';
const tld = `(?:\\.${options.strict ? '(?:[a-z\\u00a1-\\uffff]{2,})' : `(?:${tlds.sort((a, b) => b.length - a.length).join('|')})`})\\.?`;
const port = '(?::\\d{2,5})?';
const path = '(?:[/?#][^\\s"]*)?';
const regex = `(?:${protocol}|www\\.)${auth}(?:localhost|${ip}|${host}${domain}${tld})${port}${path}`;

Using a long string to make it pass through this regex will lead to Denial of Service.

馃悰 Proof of Concept (PoC) *

require('url-regex')({ strict: false }).test('018137.113.215.4074.138.129.172220.179.206.94180.213.144.175250.45.147.1364868726sgdm6nohQ')

馃敟 Proof of Fix (PoF) *

Screenshot from 2020-08-18 21-12-45

As the used Regex is perfect to validate URLs but just vulnerable to ReDoS, I implemented node-re2 instead of the JavaScript RegExp() function as re2 can convert a vulnerable Regex pattern to a safe one preventing any backtracking regular expressions/attacks.

馃摎 Reference:

馃憤 User Acceptance Testing (UAT)

Replaced the usage of RegExp() function with a safer regex binding node-re2.

@JamieSlome JamieSlome removed the request for review from Mik317 August 25, 2020 10:39
@JamieSlome JamieSlome merged commit 5ab007c into 418sec:master Aug 25, 2020
@huntr-helper
Copy link
Member

Congratulations mufeedvh - your fix has been selected! 馃帀

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section. Your bounty is on its way - keep hunting!

This was referenced Aug 25, 2020
Closed
Closed
@niftylettuce
Copy link

Just use url-regex-safe. https://github.com/niftylettuce/url-regex-safe

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@toufik-airane toufik-airane toufik-airane approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
5 participants
@mufeedvh @huntr-helper @niftylettuce @toufik-airane @JamieSlome