Skip to content
This repository has been archived by the owner on Sep 16, 2023. It is now read-only.

Unescaped identifiers regex causes DoS by heap exhaustion/infinite loop #694

ghost opened this issue Dec 23, 2018 · 2 comments


Copy link

ghost commented Dec 23, 2018

It's prevalent to import Sanctuary as S and sanctuary-def as $, i.e:

import S from "sanctuary"
import $ from "sanctuary-def"

The problem is that esm's find-indexes is using the unescaped identifiers in a regex (e.g: S and $), which, in this case, causes an infinite loop, i.e:
pattern becomes new RegExp("\\b(?:S|$)\\b", "g") which matches 0 characters, and therefore matches infinitely (e.g in the while loop).

Suggested bug fix: escape the identifiers used in the regex.

@jdalton jdalton added the bug label Dec 24, 2018
Copy link

jdalton commented Dec 24, 2018

Thank you @leosbotelho!

Patched c41e001.

Copy link

ghost commented Dec 24, 2018

You are very welcome. I'm sorry to bother.

@jdalton, I think it's enough to"|") or similar. Maybe also filter(({length}) => length > 0) with empty error condition?

Regarding tests, this seems to fix the issue.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

No branches or pull requests

1 participant