Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[VULNERABILITY] Parsing a long String will result in 100% CPU usage and String.test will never finish #70

Closed
niftylettuce opened this issue Apr 26, 2020 · 12 comments
Closed

[VULNERABILITY] Parsing a long String will result in 100% CPU usage and String.test will never finish #70

niftylettuce opened this issue Apr 26, 2020 · 12 comments

Comments

@niftylettuce
Copy link
Collaborator

niftylettuce commented Apr 26, 2020
edited

IMPORTANT UPDATE (8/15/20)

Per my comment below, I have released my own package, url-regex-safe, which resolves this issue, and all (solvable) existing issues and pull requests here in this GitHub repository. The new package has 100% test coverage and is available at https://github.com/niftylettuce/url-regex-safe. It has more sensible defaults as well.

Example:

> require('url-regex')({ strict: false }).test('018137.113.215.4074.138.129.172220.179.206.94180.213.144.175250.45.147.1364868726sgdm6nohQ')

The only way to exit out is to SIGINT.
@niftylettuce
Copy link
Collaborator Author

cc @sindresorhus

@niftylettuce niftylettuce changed the title **CORE BUG + SECURITY VULNERABILITY** Parsing a long String will result in 100% CPU usage and String.test will never finish **CORE BUG + VULNERABILITY** Parsing a long String will result in 100% CPU usage and String.test will never finish Apr 26, 2020
@niftylettuce niftylettuce changed the title **CORE BUG + VULNERABILITY** Parsing a long String will result in 100% CPU usage and String.test will never finish [VULNERABILITY] Parsing a long String will result in 100% CPU usage and String.test will never finish Apr 26, 2020
@niftylettuce
Copy link
Collaborator Author

I think the solution might be to use this https://github.com/uhop/node-re2/

@niftylettuce
Copy link
Collaborator Author

I've confirmed that using RE2 package resolves this issue.

You may want to incorporate or suggest in the docs @sindresorhus for get-urls?

@michelnev
Copy link

I second addressing this issue. I'm hitting this periodically.
I'll make my own version using RE2 for now.

@niftylettuce
Copy link
Collaborator Author

niftylettuce commented May 17, 2020
edited

I think I should disclose this to snyk.io and GitHub. Disclosed to Snyk.io by their web form and email. Over 3M downloads of url-regex per month, this is a core vulnerability that can cause a Denial of Service attack.

@niftylettuce
Copy link
Collaborator Author

This was discovered per my research and development with https://forwardemail.net, https://github.com/spamscanner/spamscanner, and https://github.com/ladjs.

@ggkitsas
Copy link

ggkitsas commented Jun 2, 2020

Hi,
I am communicating on behalf of Snyk's Security Team. We have verified this vulnerability and reached out to try and discuss this issue further with the maintainers several times. As of now we have yet to get a response, and due to this vulnerability already being exposed publicly, we feel the responsible thing to do is to move to official disclosure.

We have internally assigned a CVE to this vulnerability and will be looking to publish it in our public database in the next 24 hours - if any of the maintainers wish to reach out to us and discuss or wish for us to wait - please do reach out either here or to our disclosure email report@snyk.io, as we would be very happy to discuss with the maintainer team before publishing.

George,
Snyk Security Team

@richardowen richardowen mentioned this issue Jun 23, 2020
Closed
8 tasks
AviVahl added a commit to wix/stylable that referenced this issue Jun 23, 2020
@AviVahl
security: replace url-regex with is-url-superb
b36f4f0 
url-regex has a security vulnerability.

is-url-superb uses native URL api to verify text is a valid url. much cleaner.

ref:
GHSA-v4rh-8p82-6h5w
kevva/url-regex#70
@AviVahl AviVahl mentioned this issue Jun 23, 2020
Merged
AviVahl added a commit to wix/stylable that referenced this issue Jun 23, 2020
@AviVahl
security: replace url-regex with is-url-superb (#1223)
2348f70 
url-regex has a security vulnerability.

is-url-superb uses native URL api to verify text is a valid url. much cleaner.

ref:
GHSA-v4rh-8p82-6h5w
kevva/url-regex#70
asteffey added a commit to asteffey/fcc-url-shortener-microservice that referenced this issue Jun 24, 2020
@asteffey
fix: replace url-regex with is-rul-superb
c04f448 
Addresses security vulnerability described at kevva/url-regex#70
asteffey added a commit to asteffey/fcc-url-shortener-microservice that referenced this issue Jun 24, 2020
@asteffey
fix: replace url-regex with is-rul-superb
2051925 
Addresses security vulnerability described at kevva/url-regex#70
@Hbkhan Hbkhan mentioned this issue Jun 24, 2020
Closed
@arderyp
Copy link

arderyp commented Jul 6, 2020

@kevva @joakimbeng @sindresorhus @joostverdoorn @BendingBender

Thoughts?

@richardowen richardowen mentioned this issue Jul 8, 2020
Closed
@isnot isnot mentioned this issue Jul 18, 2020
Closed
@followbl followbl mentioned this issue Jul 21, 2020
Merged
@fx2000 fx2000 mentioned this issue Jul 25, 2020
Closed
@justinlazaro-iselect
Copy link

any update on this?

@ChengpeiShi ChengpeiShi mentioned this issue Aug 6, 2020
Closed
@arderyp
Copy link

arderyp commented Aug 8, 2020

unfortunately, I think the project is dead

@joostverdoorn
Copy link
Contributor

I think PRs are welcome, but the project is no longer actively maintained

@niftylettuce
Copy link
Collaborator Author

niftylettuce commented Aug 15, 2020
edited

This issue is fixed in my maintained and modern version of this package at https://github.com/niftylettuce/url-regex-safe. You should be able to switch from url-regex to url-regex-safe now. See the updated list of options as I added some new ones, and changed a few defaults to more sensible ones (since not everyone is parsing Markdown for instance).

@niftylettuce niftylettuce mentioned this issue Aug 15, 2020
Open
@mufeedvh mufeedvh mentioned this issue Aug 18, 2020
Merged
ikhemissi added a commit to ikhemissi/metascraper that referenced this issue Aug 19, 2020
@ikhemissi
fix: Use url-regex-safe to fix url-regex vulnerability
c8e8f48 
The package [url-regex](https://www.npmjs.com/package/url-regex) has a [Regular Expression Denial of Service vulnerability](https://www.npmjs.com/advisories/1550) and it looks like it is [not maintained anymore](kevva/url-regex#70).
This PR replaces url-regex with [url-regex-safe](https://www.npmjs.com/package/url-regex-safe) which solves the problem above while providing a drop-in replacement for url-regex.
@ikhemissi ikhemissi mentioned this issue Aug 19, 2020
Merged
@PMudra PMudra mentioned this issue Aug 20, 2020
Open
Kikobeats added a commit to microlinkhq/metascraper that referenced this issue Aug 20, 2020
@ikhemissi @Kikobeats
fix: Use url-regex-safe to fix url-regex vulnerability (#297)
157ef61 
* fix: Use url-regex-safe to fix url-regex vulnerability

The package [url-regex](https://www.npmjs.com/package/url-regex) has a [Regular Expression Denial of Service vulnerability](https://www.npmjs.com/advisories/1550) and it looks like it is [not maintained anymore](kevva/url-regex#70).
This PR replaces url-regex with [url-regex-safe](https://www.npmjs.com/package/url-regex-safe) which solves the problem above while providing a drop-in replacement for url-regex.

* Update package.json

Co-authored-by: Kiko Beats <josefrancisco.verdu@gmail.com>
@huntr-helper huntr-helper mentioned this issue Aug 25, 2020
Closed
andeemarks added a commit to andeemarks/xxtechconfspeakers-gatsby that referenced this issue Sep 12, 2020
@andeemarks
chore(dependencies): removed dep with high severity CVE
637d4f4 
kevva/url-regex#70
@Nerixyz Nerixyz mentioned this issue Oct 2, 2020
Merged
Repository owner deleted a comment from huntr-helper Nov 24, 2020
Repository owner locked as resolved and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@niftylettuce @joostverdoorn @arderyp @ggkitsas @michelnev @justinlazaro-iselect