fix(decimal128): add basic guard against REDOS attacks

This is a naive approach to reducing the efficacy of a REDOS attack against this module. A refactor of the regular expression or a custom parser substitute would be ideal, however this solution suffices as a stopgap until such work is completed. Many thanks to James Davis who graciously alterted us to the attack
mongodb · Feb 26, 2018 · bd61c45 · bd61c45
1 parent e403bd9
commit bd61c45
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/lib/bson/decimal128.js b/lib/bson/decimal128.js
@@ -235,6 +235,13 @@ Decimal128.fromString = function(string) {
   // Trim the string
   string = string.trim();
 
+  // Naively prevent against REDOS attacks.
+  // TODO: implementing a custom parsing for this, or refactoring the regex would yield
+  //       further gains.
+  if (string.length >= 7000) {
+    throw new Error('' + string + ' not a valid Decimal128 string');
+  }
+
   // Results
   var stringMatch = string.match(PARSE_STRING_REGEXP);
   var infMatch = string.match(PARSE_INF_REGEXP);