Skip to content

Commit bd61c45

Browse files
committed
fix(decimal128): add basic guard against REDOS attacks
This is a naive approach to reducing the efficacy of a REDOS attack against this module. A refactor of the regular expression or a custom parser substitute would be ideal, however this solution suffices as a stopgap until such work is completed. Many thanks to James Davis who graciously alterted us to the attack
1 parent e403bd9 commit bd61c45

File tree

1 file changed

+7
-0
lines changed

1 file changed

+7
-0
lines changed

lib/bson/decimal128.js

+7
Original file line numberDiff line numberDiff line change
@@ -235,6 +235,13 @@ Decimal128.fromString = function(string) {
235235
// Trim the string
236236
string = string.trim();
237237

238+
// Naively prevent against REDOS attacks.
239+
// TODO: implementing a custom parsing for this, or refactoring the regex would yield
240+
// further gains.
241+
if (string.length >= 7000) {
242+
throw new Error('' + string + ' not a valid Decimal128 string');
243+
}
244+
238245
// Results
239246
var stringMatch = string.match(PARSE_STRING_REGEXP);
240247
var infMatch = string.match(PARSE_INF_REGEXP);

0 commit comments

Comments
 (0)