Vulnerable Regular Expression

[cristianstaicu]

The following regular expression used in the "o" formatter is vulnerable to ReDoS:

/\s*\n\s*/

The slowdown is moderately low: for 50.000 characters around 2 seconds matching time. However, I would still suggest one of the following:

• remove the regex,
• anchor the regex,
• limit the number of characters that can be matched by the repetition,
• limit the input size.

If needed, I can provide an actual example showing the slowdown.

[TooTallNate]

Thanks for the report. Patch welcome! The %o formatter by design needs to remove the newlines but any performance optimizations are ❤️ 👍

[fadookie]

@TooTallNate As far as I can tell no security patch for this issue has yet been released for 3.x, is this in the works? Thanks!

[TooTallNate]

@fadookie Yes correct, thanks for the nudge. v3.1.0 has now been published.

[Yaniv-git]

Hello,
My name is Yaniv Nizry I’m an Application Security Researcher from CxSCA group at Checkmarx,
after looking into this issue we noticed that it might not have been resolved.
For more information please contact us at:
ScaAppSec@checkmarx.com

Thanks,
Yaniv

[Qix-]

@yaniv-checkmarx Hi. Feel free to submit a report to me at josh.junon@protonmail.com if you think you've found a security issue with debug. Please be sure to specify exactly which versions and/or version ranges you think the vulnerability pertains to.

Thanks.

[Yaniv-git]

@Qix- Hi, I sent you on September 14th the email, don't know if you got it.
Are there any updates?

[Qix-]

Hi @yaniv-checkmarx, I've been focused on other things the last few weeks. Apologies. I'll take a look within the next week to see if I can validate.

[Yaniv-git]

@Qix- pinging you on this issue :)

[Qix-]

Confirmed, regressed in 6ab9525c9841b656d996e521cf86192d5647483a a long while ago.

Will push a fix, thank you for the report @yaniv-checkmarx @Eden-checkmarx. Apologies for the delay until now.