Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regular Expression Denial of Service (ReDoS) #6012

Closed
vovikhangcdv opened this issue Jun 7, 2022 · 0 comments · Fixed by vovikhangcdv/moment#1 or #6015
Closed

Regular Expression Denial of Service (ReDoS) #6012

vovikhangcdv opened this issue Jun 7, 2022 · 0 comments · Fixed by vovikhangcdv/moment#1 or #6015

Comments

@vovikhangcdv
Copy link
Contributor

Describe the bug
Affected versions of the package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks for any string input controlled by the user.

An attacker can provide a specially crafted input to the default function moment(), which nearly matches the pattern being matched. This will cause the regular expression matching to take a long time, all the while occupying the event loop and preventing it from processing other requests and making the server unavailable (a Denial of Service attack).

Proof of concept

moment=require('moment')
moment("(".repeat(50000)) // local execution time ~=0m1.6s
moment("(".repeat(500000)) // local execution time ~=8m49.741s

Expected behavior
Execution time has to be linear, not polynomial.

Occurrences

Impact
Any dependent pass user-controllable string inputs to package moment() could cause the denial of service attack. It happens in the default use of the package and potentially affects around 57,775 dependents (last access: June 7 2022).
vovikhangcdv added a commit to vovikhangcdv/moment that referenced this issue Jun 7, 2022
@vovikhangcdv
fix redos in preprocessRFC2822 regex
dc0d180 
Fixes: [moment#2936](moment#6012)

Directly match the comment tokens in preprocessRFC2822 regex to resolve the problem [Regular Expression Denial of Service (ReDoS)moment#6012](moment#6012)
@vovikhangcdv vovikhangcdv mentioned this issue Jun 7, 2022
Merged
@vovikhangcdv vovikhangcdv mentioned this issue Jun 7, 2022
Closed
@vovikhangcdv vovikhangcdv reopened this Jun 7, 2022
@vovikhangcdv vovikhangcdv mentioned this issue Jun 8, 2022
Merged
ichernev pushed a commit that referenced this issue Jul 6, 2022
@vovikhangcdv
[bugfix] Fix redos in preprocessRFC2822 regex (#6015)
7aebb16 
* fix ReDoS in preprocessRFC2822 regex

Fixes: [#2936](#6012)

Disallow nested rfc2822 comments to prevent quadratic regex execution time (i.e each open bracket is considered at most twice).
ichernev pushed a commit that referenced this issue Jul 6, 2022
@vovikhangcdv @ichernev
[bugfix] Fix redos in preprocessRFC2822 regex (#6015)
9a3b589 
* fix ReDoS in preprocessRFC2822 regex

Fixes: [#2936](#6012)

Disallow nested rfc2822 comments to prevent quadratic regex execution time (i.e each open bracket is considered at most twice).
@rpoet-ds rpoet-ds mentioned this issue Jul 13, 2022
Merged
@github-actions github-actions bot mentioned this issue Aug 1, 2022
Open
Pierre-Lannoy added a commit to Pierre-Lannoy/wp-device-detector that referenced this issue Aug 16, 2022
@Pierre-Lannoy
Fixes moment/moment#6012
0e3864d
Pierre-Lannoy added a commit to Pierre-Lannoy/wp-opcache-manager that referenced this issue Aug 16, 2022
@Pierre-Lannoy
Fixes moment/moment#6012
76fa04e
Pierre-Lannoy added a commit to Pierre-Lannoy/wp-apcu-manager that referenced this issue Aug 16, 2022
@Pierre-Lannoy
Fixes moment/moment#6012
b3364bf
Pierre-Lannoy added a commit to Pierre-Lannoy/wp-keys-master that referenced this issue Aug 16, 2022
@Pierre-Lannoy
Fixes moment/moment#6012
b5853f3
Pierre-Lannoy added a commit to Pierre-Lannoy/wp-ip-locator that referenced this issue Aug 16, 2022
@Pierre-Lannoy
Fixes moment/moment#6012
0193a49
Pierre-Lannoy added a commit to Pierre-Lannoy/wp-sessions that referenced this issue Aug 16, 2022
@Pierre-Lannoy
Fixes moment/moment#6012
35f1266
Pierre-Lannoy added a commit to Pierre-Lannoy/wp-traffic that referenced this issue Aug 16, 2022
@Pierre-Lannoy
Fixes moment/moment#6012
0e23a8d
Pierre-Lannoy added a commit to Pierre-Lannoy/wp-vibes that referenced this issue Aug 16, 2022
@Pierre-Lannoy
Fixes moment/moment#6012
0f06e16
@RobertMickleCx RobertMickleCx mentioned this issue Mar 7, 2023
Open
@github-actions github-actions bot mentioned this issue Apr 4, 2023
Open
This was referenced Apr 5, 2023
Closed
Closed
@HafedhRahmani HafedhRahmani mentioned this issue Feb 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@vovikhangcdv and others