Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix potential ReDoS #37

Merged
merged 1 commit into from Sep 10, 2021
Merged

Fix potential ReDoS #37

merged 1 commit into from Sep 10, 2021

Conversation

@yetingli
Copy link
Contributor

@yetingli yetingli commented Sep 9, 2021

No description provided.

@Qix-
Copy link
Member

@Qix- Qix- commented Sep 9, 2021

Hi, normally we'd appreciate an email prior to submitting security patches, please keep this in mind as it's a pretty typical part of responsible disclosure.

Can you also provide some context for the redos? What sorts of input will cause issues?

Loading

@yetingli
Copy link
Contributor Author

@yetingli yetingli commented Sep 9, 2021

Thanks for reminding. Sorry, I can't find your email. Could you tell me your email?

Loading

@Qix-
Copy link
Member

@Qix- Qix- commented Sep 9, 2021

Well cat is out of the bag now, just write here. You can find emails in the commit messages of repositories by the way.

Loading

@yetingli
Copy link
Contributor Author

@yetingli yetingli commented Sep 10, 2021

Proof of Concept

import ansiRegex from 'ansi-regex';


for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = "\u001B["+";".repeat(i*10000);
    ansiRegex().test(attack_str)
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}

The ReDOS is mainly due to the sub-patterns [[\\]()#;?]* and (?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*

Loading

@Qix- Qix- merged commit 8d1d7cd into chalk:main Sep 10, 2021
@Qix-
Copy link
Member

@Qix- Qix- commented Sep 10, 2021

Thank you for the reproduction and the patch, was able to reproduce.

I'll push out an update immediately.

Loading

@Qix-
Copy link
Member

@Qix- Qix- commented Sep 10, 2021

Published as 6.0.1 - thanks again!

Loading

@sindresorhus
Copy link
Member

@sindresorhus sindresorhus commented Sep 11, 2021

Thanks. It would have been good with a regression test to ensure we don't accidentally regress the regex in the future.

Loading

@carnil
Copy link

@carnil carnil commented Sep 17, 2021

CVE-2021-3807 was assigned for this issue.

Loading

@Qix-
Copy link
Member

@Qix- Qix- commented Sep 17, 2021

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - 7.5 High

Yet another example of how laughably broken CVE scores are.

Loading

@mariusbutuc
Copy link

@mariusbutuc mariusbutuc commented Sep 22, 2021

@yetingli first of all, big thanks for the contribution! 🙏🏼

Secondly, thanks to this PR I've also learned today about security policies within repos/github and noticed this too: https://github.com/chalk/ansi-regex/security/policy —perhaps this can help smoothen things out in the future. 😊

Loading

MylesBorins added a commit to MylesBorins/ansi-regex that referenced this issue Nov 3, 2021
MylesBorins added a commit to MylesBorins/ansi-regex that referenced this issue Nov 3, 2021
MylesBorins added a commit to MylesBorins/ansi-regex that referenced this issue Nov 3, 2021
This is a backport of chalk@8d1d7cd

the test suite on the 3.0.0 branch is broken but I've manually verified
that no additional tests are broken and that this patch fixes the REDOS
@Qix- Qix- mentioned this pull request Nov 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants