Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix code scanning alert - Polynomial regular expression used on uncontrolled data #2

Open
1 task
shgysk8zer0 opened this issue Sep 22, 2023 · 2 comments
Open
1 task

Fix code scanning alert - Polynomial regular expression used on uncontrolled data #2

shgysk8zer0 opened this issue Sep 22, 2023 · 2 comments
Assignees
@shgysk8zer0
Labels
bug Something isn't working question Further information is requested wontfix This will not be worked on

Comments

@shgysk8zer0
Copy link
Owner

shgysk8zer0 commented Sep 22, 2023
edited

Tracking issue for:

Some regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length n is proportional to nk or even 2n. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service ("DoS") attack by crafting an expensive input string for the regular expression to match.

The regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.
@shgysk8zer0
Copy link
Owner Author

I'm not sure this can be fixed. Maybe somewhat improved, and any dev implementing the module could address this by checking the length of the headers and body, but in order to be spec compliant I have to have some things of arbitrary length.

@shgysk8zer0 shgysk8zer0 self-assigned this Sep 22, 2023
@shgysk8zer0 shgysk8zer0 added bug Something isn't working question Further information is requested wontfix This will not be worked on labels Sep 22, 2023
@shgysk8zer0
Copy link
Owner Author

Parsing of multipart/form-data this way is no longer required in node >= 20 since I can just throw the headers & body into Request and use await req.formData().

The function is being deprecated and will be removed in an upcoming version.

shgysk8zer0 added a commit that referenced this issue Sep 24, 2023
@shgysk8zer0
Deprecate parseMultipartFormData()
8267eed 
References #2

This function will no longer be necessary in node >= 20 but I don't
think can be fixed (at  least  not easily and isn't worth it). Will be
removed in an upcoming release, and used a `console.warn` when used.

Also update such that `import '@shgysk8zer0/http/module'` and
`import '@shgysk8zer0/http/module.js'` to both work.
@shgysk8zer0 shgysk8zer0 mentioned this issue Sep 24, 2023
Merged
@shgysk8zer0 shgysk8zer0 linked a pull request Sep 24, 2023 that will close this issue
Deprecate parseMultipartFormData() #4
Merged
@shgysk8zer0 shgysk8zer0 removed a link to a pull request Sep 24, 2023
Deprecate parseMultipartFormData() #4
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shgysk8zer0 shgysk8zer0

Labels
bug Something isn't working question Further information is requested wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@shgysk8zer0