-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[2609] fix ReDoS vulnerability in email regex #2824
[2609] fix ReDoS vulnerability in email regex #2824
Conversation
✅ Deploy Preview for guileless-rolypoly-866f8a ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
Hey @colinhacks, could we please get a tiny patch release for this one 🙇 |
Bump! |
Thanks @MacsDickinson this is massively appreciated |
May I ask what speaks against using the HTML5 spec regex instead of a hand rolled one? An old variant is even already in the source (commented out), and PR #2157 even says:
The HTML5 spec regex is not vulnerable: https://stackoverflow.com/a/8829363. From the previous PR, I also want to mention someone mentioned emails like |
Could you please backport it to 3.21.4? |
The email regex we plan to use for Valibot is more accurate and twice as fast. If interested, I can provide more details.
|
Here ist the final regex, we plan to use for Valibot. |
I opened #2849 to add a redos check to eslint |
may I ask, what environment did you use to test it? I'm trying to replicate the issue, but the vulnerable expression seems to perform well anywhere I test. |
It looks safe to me! I usually use devina when checking for redos vulnerabilities. Anyway, here's what it says: Btw, I've been looking for the perfect email regex for over 3 years, I'm honestly surprised that this works. |
Fixes #2609
The current regex used for email validation contains "catastrophic backtracking", specifically
([A-Z0-9_+-]+\.?)*
. This gets evaluated inefficiently by JS, resulting in an exponential increase in execution time for failed matches.This can be replicated easily - here's execution time against
^([A-Z0-9_+-]+\.?)*[A-Z0-9_+-]@([A-Z0-9][A-Z0-9\-]*\.)+[A-Z]{2,}$
This PR provides an alternative regex. Rather that matching on the
(aaaaa.)+
we instead do a negative lookahead for the presence of..
or the email starting with a.
. This approach isn't susceptible to ReDoShere's execution time against
^(?!\.)(?!.*\.\.)([A-Z0-9_+-\.]*)[A-Z0-9_+-]@([A-Z0-9][A-Z0-9\-]*\.)+[A-Z]{2,}$