Skip to content
This repository has been archived by the owner on Sep 16, 2023. It is now read-only.

Unescaped identifiers regex causes DoS by heap exhaustion/infinite loop #694

Closed
ghost opened this issue Dec 23, 2018 · 2 comments
Closed

Comments

@ghost
Copy link

ghost commented Dec 23, 2018

It's prevalent to import Sanctuary as S and sanctuary-def as $, i.e:

import S from "sanctuary"
import $ from "sanctuary-def"

The problem is that esm's find-indexes is using the unescaped identifiers in a regex (e.g: S and $), which, in this case, causes an infinite loop, i.e:
pattern becomes new RegExp("\\b(?:S|$)\\b", "g") which matches 0 characters, and therefore matches infinitely (e.g in the while loop).

Suggested bug fix: escape the identifiers used in the regex.

@jdalton jdalton added the bug label Dec 24, 2018
@jdalton
Copy link
Member

jdalton commented Dec 24, 2018

Thank you @leosbotelho!

Patched c41e001.

@ghost
Copy link
Author

ghost commented Dec 24, 2018

You are very welcome. I'm sorry to bother.

@jdalton, I think it's enough to identifiers.map(escapeRegExp).join("|") or similar. Maybe also filter(({length}) => length > 0) with empty error condition?

Regarding tests, this seems to fix the issue.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Development

No branches or pull requests

1 participant