A ReDoS vulnerability can be exploited after version 0.2.0

[SugarP1g]

There is a weak expression can be exploited to launch a DOS attack.

Execution stack is as follow:

POC:

Run result:

[mxro]

Thank you for raising this issue. Have added this to the Readme for the project until it is resolved.

Any ideas for resolving thie welcome.

I assume this can still be caught when setting an executor and max CPU time?

[SugarP1g]

Thank you for raising this issue. Have added this to the Readme for the project until it is resolved.

Any ideas for resolving thie welcome.

I assume this can still be caught when setting an executor and max CPU time?

Yes.

The cause of the problem is the defect of the regular engine.

This link can be referenced: https://checkmarx.com/wp-content/uploads/2015/03/ReDoS-Attacks.pdf

[junweili]

Hi @mxro , is there any plan to fix this in near term? It is listed under https://nvd.nist.gov/vuln/detail/CVE-2021-40660#match-8086489

Thank you

[mxro]

Thanks for reaching out!

I guess the way forward here would be to replace the RegEx with more deterministic logic?

[junweili]

Yes, such complex RegEx is vulnerable. Out of curiosity about the reason of injecting interruption call by using POISON_PILLS, is this for the purpose of terminating script execution to cap cpu time?

[mxro]

Yes, it's injecting a bit of code that triggers the test for how much CPU time is used.

However, there is an additional fallback the sandbox provides, in that it can do a hard shutdown of the thread as well. But using the injected statements should be smoother.

[asilism]

@mxro
How about remove all comment lines before run jsSanitizer?
I have commented on a similar issue in the past. ( #108 )

I didn't know the exact reason such as ReDoS, but I knew that "POISONPIL + Comments" was the cause.
So, I am using the logic to remove all comments in the code before eval(), and there has been no slowdown since then.

I don't know this approach is a real solution to this vulnerability, but I'm leaving a post in case it helps.

[mxro]

@asilism Thank you for the idea!

So that would mean moving

https://github.com/javadelight/delight-nashorn-sandbox/blob/master/src/main/java/delight/nashornsandbox/internal/JsSanitizer.java#L201

to

delight-nashorn-sandbox/src/main/java/delight/nashornsandbox/internal/JsSanitizer.java

Line 279 in 23ba3d7

final String beautifiedJs = beautifyJs(js);

?

[asilism]

@mxro
Yes, before call beautifyJs.
but 2 Things must be clear. I think.

1 ) Does RemoveComments function completely remove all of comments line ?
2 ) it is necessary to confirm whether there is a need to change POISON_PIL regular expression.

[huzongxin1994]

@mxro I found that this issue was not resolved in version 0.2.4.Excuse me, when will the problem be solved? If multiple lines of non-function code are transferred, \n is not added to the end of the line after beautifyJs processing.

[mxro]

1 ) Does RemoveComments function completely remove all of comments line ?

I think it should!

2 ) it is necessary to confirm whether there is a need to change POISON_PIL regular expression.

Pretty sure the RegEx would need to be changed.

[mxro]

@huzongxin1994 Yes, this issue is still open.

Looking for good ideas to fix the Regex or avoid the problem altogether!

[huzongxin1994]

Modify the regular expression or split the regular logic, I think it's a better solution.Can you tell me more about what this regularity \n(?![\W]*(//.+[\W]+)else) means, and then we're trying to deal with it together?The \n(?*else) regular expression triggers a backtracking trap.

[mxro]

@huzongxin1994 This link @SugarP1g shared earlier describes the backtracking vulnerability: https://checkmarx.com/wp-content/uploads/2015/03/ReDoS-Attacks.pdf

By avoiding it altogether, I was thinking of if there could be a solution that doesn't use a regular expression at all!