Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix(security): tweak strict SRI regex (#10)
The previous form was vulnerable to ReDoS attacks, by
crafting exceptionally long base64 hash strings.

This issue only affected consumers using the opts.strict option.
  • Loading branch information
zkat committed Feb 14, 2018
1 parent 427f423 commit d0ebcdc
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 9 deletions.
2 changes: 1 addition & 1 deletion index.js
Expand Up @@ -9,7 +9,7 @@ const SPEC_ALGORITHMS = ['sha256', 'sha384', 'sha512']

const BASE64_REGEX = /^[a-z0-9+/]+(?:=?=?)$/i
const SRI_REGEX = /^([^-]+)-([^?]+)([?\S*]*)$/
const STRICT_SRI_REGEX = /^([^-]+)-([A-Za-z0-9+/]+(?:=?=?))([?\x21-\x7E]*)$/
const STRICT_SRI_REGEX = /^([^-]+)-([A-Za-z0-9+/=]{44,88})(\?[\x21-\x7E]*)*$/
const VCHAR_REGEX = /^[\x21-\x7E]+$/

class Hash {
Expand Down
15 changes: 9 additions & 6 deletions test/integrity.js
Expand Up @@ -7,20 +7,20 @@ const test = require('tap').test
const ssri = require('..')

test('toString()', t => {
const sri = ssri.parse('sha512-foo sha256-bar!')
const sri = ssri.parse('sha1-eUN/Xt2hP5wGabl43XqQZt0gWfE= sha256-Qhx213Vjr6GRSEawEL0WTzlb00whAuXpngy5zxc8HYc=')
t.equal(
sri.toString(),
'sha512-foo sha256-bar!',
'sha1-eUN/Xt2hP5wGabl43XqQZt0gWfE= sha256-Qhx213Vjr6GRSEawEL0WTzlb00whAuXpngy5zxc8HYc=',
'integrity objects from ssri.parse() can use toString()'
)
t.equal(
sri.toString({strict: true}),
'sha512-foo',
'sha256-Qhx213Vjr6GRSEawEL0WTzlb00whAuXpngy5zxc8HYc=',
'accepts strict mode option'
)
t.equal(
sri.toString({sep: '\n'}),
'sha512-foo\nsha256-bar!',
'sha1-eUN/Xt2hP5wGabl43XqQZt0gWfE=\nsha256-Qhx213Vjr6GRSEawEL0WTzlb00whAuXpngy5zxc8HYc=',
'accepts separator option'
)
t.done()
Expand Down Expand Up @@ -72,9 +72,12 @@ test('concat()', t => {
'sha512-foo sha512-quux sha1-bar sha1-baz',
'preserves relative order for algorithms between different concatenations'
)
const strictSri = ssri.parse('sha512-WrLorGiX4iEWOOOaJSiCrmDIamA47exH+Bz7tVwIPb4sCU8w4iNqGCqYuspMMeU5pgz/sU7koP5u8W3RCUojGw==')
t.equal(
sri.concat('sha1-bar!', {strict: true}).toString(),
'sha512-foo',
strictSri.concat('sha1-eUN/Xt2hP5wGabl43XqQZt0gWfE=', {
strict: true
}).toString(),
'sha512-WrLorGiX4iEWOOOaJSiCrmDIamA47exH+Bz7tVwIPb4sCU8w4iNqGCqYuspMMeU5pgz/sU7koP5u8W3RCUojGw==',
'accepts strict mode option'
)
t.done()
Expand Down
4 changes: 2 additions & 2 deletions test/stringify.js
Expand Up @@ -108,8 +108,8 @@ test('support strict serialization', t => {
'entries that do not conform to strict spec interpretation removed'
)
t.equal(
ssri.stringify('sha512-foo sha256-bar', {sep: ' \r|\n\t', strict: true}),
'sha512-foo \r \n\tsha256-bar',
ssri.stringify('sha512-WrLorGiX4iEWOOOaJSiCrmDIamA47exH+Bz7tVwIPb4sCU8w4iNqGCqYuspMMeU5pgz/sU7koP5u8W3RCUojGw== sha256-Qhx213Vjr6GRSEawEL0WTzlb00whAuXpngy5zxc8HYc=', {sep: ' \r|\n\t', strict: true}),
'sha512-WrLorGiX4iEWOOOaJSiCrmDIamA47exH+Bz7tVwIPb4sCU8w4iNqGCqYuspMMeU5pgz/sU7koP5u8W3RCUojGw== \r \n\tsha256-Qhx213Vjr6GRSEawEL0WTzlb00whAuXpngy5zxc8HYc=',
'strict mode replaces non-whitespace characters in separator with space'
)
t.done()
Expand Down

0 comments on commit d0ebcdc

Please sign in to comment.