fix(decimal128): add basic guard against REDOS attacks

mbroadst · mbroadst · commit bd61c45157c5 · 2018-02-26T15:19:50.000-05:00
This is a naive approach to reducing the efficacy of a REDOS attack
against this module. A refactor of the regular expression or a
custom parser substitute would be ideal, however this solution
suffices as a stopgap until such work is completed.

Many thanks to James Davis who graciously alterted us to the
attack
diff --git a/lib/bson/decimal128.js b/lib/bson/decimal128.js
@@ -235,6 +235,13 @@ Decimal128.fromString = function(string) {
   // Trim the string
   string = string.trim();
 
+  // Naively prevent against REDOS attacks.
+  // TODO: implementing a custom parsing for this, or refactoring the regex would yield
+  //       further gains.
+  if (string.length >= 7000) {
+    throw new Error('' + string + ' not a valid Decimal128 string');
+  }
+
   // Results
   var stringMatch = string.match(PARSE_STRING_REGEXP);
   var infMatch = string.match(PARSE_INF_REGEXP);
