Skip to content

Commit

Permalink
Security Fix for Regular Expression Denial of Service (ReDoS) - huntr…
Browse files Browse the repository at this point in the history 
….dev (#8)

* Added two dangerous URLs to the fixtures array.

* WIP: ReDoS mitigation - Fixed catastrophic backtracking that was happening at the check for a basic auth sequence, i.e. http://username:pass@example.com, but there is another happening at the domain var at line 11.

* WIP: ReDoS mitigation - current state of my update fixes the vuln, but breaks 4 tests.

* Added opt for punycode validation. Also made some minor regex tweaks. Passing all of notmatch and only failing 2 of urlmatch.

* Added punycode url fixtures.

* Simplified regex since case is always ignored.

* Abandoned my fix and implemented RE2 to replace the built-in regex engine.

* Removed the punycode validation I added because one of the operators does not work with RE2.

Co-authored-by: Ben <beale.ben@gmail.com>
Co-authored-by: Jamie Slome <55323451+JamieSlome@users.noreply.github.com>
  • Loading branch information
@bbeale @JamieSlome
3 people committed Sep 16, 2020
1 parent d946be3 commit e5a085a
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 4 deletions.
4 changes: 3 additions & 1 deletion index.js
View file
@@ -1,4 +1,6 @@
'use strict';
const RE2 = require("re2");


module.exports = function (opts) {
var exact = (opts && opts.exact !== undefined) ? opts.exact : true;
Expand All @@ -14,5 +16,5 @@ module.exports = function (opts) {
var path = '(?:[/?#][^\\s"]*)?';
var regex = '(?:' + protocol + '|www\\.)' + auth + '(?:localhost|' + ip + '|' + host + domain + tld + ')' + port + path;

return exact ? new RegExp('(?:^' + regex + '$)', 'i') : new RegExp(regex, 'ig');
return exact ? new RE2('(?:^' + regex + '$)', 'i') : new RE2(regex, 'ig');
};
6 changes: 4 additions & 2 deletions test/notmatch.js
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 5 additions & 1 deletion test/urlmatch.js
View file
Expand Up @@ -11,7 +11,6 @@ const exactFixtures = [
'http://a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.com',
'http://mw1.google.com/mw-earth-vectordb/kml-samples/gp/seattle/gigapxl/$[level]/r$[y]_c$[x].jpg',
'http://user:pass@example.com:123/one/two.three?q1=a1&q2=a2#body',
'http://www.microsoft.xn--comindex-g03d.html.irongeek.com',
'http://✪df.ws/123',
'http://localhost/',
'http://userid:password@example.com:8080',
Expand Down Expand Up @@ -60,6 +59,11 @@ const exactFixtures = [
'http://➡.ws/䨹',
'www.google.com/unicorn',
'http://example.com.',
'http://www.microsoft.xn--comindex-g03d.html.irongeek.com',
'www.microsoft.xn--comindex-g03d.html.irongeek.com',
'http://xn--addas-o4a.de/',
'xn--aerlngus-j80d.com',
'xn--sngaporeair-zzb.com'
];

const notExactFixtures = [
Expand Down

0 comments on commit e5a085a

Please sign in to comment.