Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Regex backtracking issues #1312
@davisjam reported some potential regex backtracking vulnerabilities to us via email. In such a vulnerability, extremely long inputs could cause a regex to block for a very long time while parsing.
We believe there is no significant risk to these particular issues. Four of six of them are in the jsdoc template, and therefore do not affect Shaka Player itself. The other two are in the TTML text parser.
Application developers generally have some control or trust in their content catalogs and are not subject to malicious TTML content. Such content, if encountered, would only cause individual browser tabs to lock up. Shaka Player does not run in nodejs or other such environments, and we do not expect this could be used for any kind of DOS attack.
The affected regex should be refactored to avoid this. @davisjam recommends these tools to assess progress:
Here are the details of the reported vulnerabilities:
For those unfamiliar with catastrophic backtracking, here is a short explanation.
Consider the following regex:
So if you have an input string of
But what if the second
You see there are 10 attempts to match the given string, which is really just a series of a's. The regex
In the TTML parser we use the regex
The vulnerable expressions in jsdoc are all from the "prettify" module, which enables syntax highlighting for CSS. https://github.com/jsdoc3/jsdoc/tree/master/templates/default/static/scripts/prettify
That code seems to have been forked in 2012 and never updated. The original code has been updated a few times since then: https://github.com/google/code-prettify/commits/master/src/lang-css.js
I will put together a bug report against jsdoc for this, and a pull request to update, if I can.
We have fixed the regex issues that affect our library, but there are others in our jsdoc template. We're leaving it open until we fix those, too.
Our template is forked from the jsdoc default template, and the relevant code in jsdoc was forked from prettify (and never updated). If we do fix these issues in the template ourselves before jsdoc and prettify do, we can upstream the fix.