Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Fix: remove catastrophic backtracking vulnerability #10019
What is the purpose of this pull request? (put an "X" next to item)
[ ] Documentation update
What changes did you make? (Give an overview)
Change template substitution regex to exclude fields with whitespace.
Very unlikely to be exploited. For #10002.
Is there anything you'd like reviewers to focus on?
A bit more complex than that. The original pattern contains a sub-sequence like this:
Because the middle group's character class includes whitespace, it will match a superset of this pattern, which is easier to reason about:
If the input contains a long sequence of whitespace, the regex engine has to decide when to move from one \s to the next.
The blow-up in this case is O(n^2). In the worst case catastrophic backtracking can be O(2^n).
It would be helpful if a developer can comment on whether this is a very low-risk security problem or just a potential problem if someone else were to copy/paste later.
If a real problem, I will follow up with Snyk.io to get a low-severity vulnerability ID assigned.
I don't think this is realistically exploitable, because only an ESLint rule can provide a string to that regex, and an ESLint rule already can execute arbitrary code. So I'm fine with removing it for performance reasons, but I don't consider this to be a security issue in its current location.