Please sign in to comment.
security: fix catastrophic backtracking
Problem: The regex used to validate the user portion was vulnerable to catastrophic backtracking. This made valid-email vulnerable to a weak REDOS attack. Each malicious input blocks the event loop for about 0.1 seconds. Solution: I tweaked the behavior of the regex pattern. It now accepts double-quote and space ('"' and ' ', respectively) characters anywhere in the user portion. It used to accept a broader range of characters provided they were escaped. To retain the original language, I suspect a custom parser would be necessary. Seems like overkill for this module.
- Loading branch information...