fix:Potential ReDoS Vulnerability or Inefficient Regular Expression in Project: Need for Assessment and Mitigation

[mmmsssttt404]

Q	A
Bug fix?	yes
New feature?	no
BC breaks?	no
Deprecations?	no
Tests pass?	yes
Fixed tickets
License	MIT
Doc PR	https://github.com/pm2-hive/pm2-hive.github.io/pulls

Steps to reproduce
Hello,

I am writing to report a potential Regular Expression Denial of Service (ReDoS) vulnerability or Inefficient Regular Expression in the project. When using specially crafted input strings in the context, it may lead to extremely high CPU usage, application freezing, or denial of service attacks.

Location of Issue:

The vulnerability is related to a regular expression used in the following validation file, which may result in significantly prolonged execution times under certain conditions.

https://github.com/mmmsssttt404/pm2/blob/d0e7801184bcf98b7c93ffecc77c623df6ffa22f/lib/tools/Config.js#L204

PoC Files and Comparisons:
gist:https://gist.github.com/mmmsssttt404/407e2ffe3e0eaa393ad923a86316a385
use time:

Proposed Solution:
Change the regular expression to

((?<![\w\-])([\w\-]+\="[^"]*")|(?<![\w\-])([\w\-]+\='[^']*')|"([^"]*)"|'([^']*)'|\s )

change:

steps:
1.git clone https://github.com/mmmsssttt404/pm2.git
2.cd pm2
3.git checkout development
4.npm install
5.change regex
6.bash test/unit.sh

Thank you for your attention to this matter. Your evaluation and response to this potential security concern would be greatly appreciated.

Best regards,

Search keywords: ReDoS

[CLAassistant]

All committers have signed the CLA.

[xqin]

_valid 是内部方法，仅在 Config.validateJSON 中被调用， Config.validateJSON 的调用方传入的数据 是来自 使用者自己传入的配置项生成的，何着自己DDOS自己算漏洞？

那 写段 nodejs 脚本执行任意命令或者跑个死循环，就可以提 nodejs 官方提 BUG 了吗？

看了一下你的 gist 中的 POC，都是类似的，拿这个套路在 github 上刷 PR 吗？

https://gist.github.com/mmmsssttt404

[GameDevZach]

This comment should be removed because the commit uses lookbehind assertions. The NodeJS implementation of the feature is in 8.10+ (2018-03-06) https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Lookbehind_assertion

[KyorCode]

#6031 this merge is giving issues.

[xqin]

The new regular expression has problems, and for the problem mentioned before, it cannot cut the parameters correctly.

@Unitech Please revert this pull request.

[mmmsssttt404]

Sorry for the impact on the project, this was caused by an extra space, but it happened to not be covered by the test, and then fixed it in the new PR
#6032

[mmmsssttt404]

[mmmsssttt404]

I add one test in https://github.com/mmmsssttt404/pm2/blob/master/test/programmatic/json_validation.mocha.js to test /issues/6031 this problem