Security Fix for Regular Expression Denial of Service (ReDoS) - huntr.dev

[huntr-helper]

https://huntr.dev/users/mufeedvh has fixed the Regular Expression Denial of Service (ReDoS) vulnerability 🔨. mufeedvh has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
GitHub Issue | #70
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/maven/url-regex/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-maven-url-regex

⚙️ Description *

The project url-regex was validating URLs with a regex vulnerable to ReDoS (Regex Denial of Service) with RegExp().

💻 Technical Description *

The implemented Regex patterns to validate URLs are vulnerable to ReDoS:

const protocol = `(?:(?:[a-z]+:)?//)${options.strict ? '' : '?'}`;
const auth = '(?:\\S+(?::\\S*)?@)?';
const ip = ipRegex.v4().source;
const host = '(?:(?:[a-z\\u00a1-\\uffff0-9][-_]*)*[a-z\\u00a1-\\uffff0-9]+)';
const domain = '(?:\\.(?:[a-z\\u00a1-\\uffff0-9]-*)*[a-z\\u00a1-\\uffff0-9]+)*';
const tld = `(?:\\.${options.strict ? '(?:[a-z\\u00a1-\\uffff]{2,})' : `(?:${tlds.sort((a, b) => b.length - a.length).join('|')})`})\\.?`;
const port = '(?::\\d{2,5})?';
const path = '(?:[/?#][^\\s"]*)?';
const regex = `(?:${protocol}|www\\.)${auth}(?:localhost|${ip}|${host}${domain}${tld})${port}${path}`;

Using a long string to make it pass through this regex will lead to Denial of Service.

🐛 Proof of Concept (PoC) *

require('url-regex')({ strict: false }).test('018137.113.215.4074.138.129.172220.179.206.94180.213.144.175250.45.147.1364868726sgdm6nohQ')

🔥 Proof of Fix (PoF) *

As the used Regex is perfect to validate URLs but just vulnerable to ReDoS, I implemented node-re2 instead of the JavaScript RegExp() function as re2 can convert a vulnerable Regex pattern to a safe one preventing any backtracking regular expressions/attacks.

📚 Reference:

• https://www.npmjs.com/package/re2#standard-features
• [VULNERABILITY] Parsing a long String will result in 100% CPU usage and String.test will never finish #70 (comment)

👍 User Acceptance Testing (UAT)

Replaced the usage of RegExp() function with a safer regex binding node-re2.

[niftylettuce]

Just use https://github.com/niftylettuce/url-regex-safe. It's the official resolution in the CVE/Snyk advisory.

[niftylettuce]

I would hope you donate that bug bounty reward to a charity @mufeedvh

[JamieSlome]

@kevva - any updates on this?

Cheers! 🍰

[niftylettuce]

@JamieSlome see https://github.com/niftylettuce/url-regex-safe