Fix redos

[Richienb]

Signed-off-by: Richie Bendall [email protected]

📊 Metadata *

Bounty URL:

https://www.huntr.dev/bounties/1-npm-node-dns-sync

⚙️ Description *

Parse the hostname properly instead of using regexes.

💻 Technical Description *

Swap out the regex solution with an npm package that parses it regex-free.

🐛 Proof of Concept (PoC) *

See skoranga#5

🔥 Proof of Fix (PoF) *

A regex is no longer used.

👍 User Acceptance Testing (UAT)

Unit tests pass.

[mufeedvh]

Hello @Richienb,

A good approach to fix the issue but under the hood, the dependency/package you used to validate the hostname is also vulnerable to ReDoS.

The package is-valid-hostname uses two Regex patterns:

const validHostnameChars = /^([a-zA-Z0-9-.]+){1,253}$/g

and

const validLabelChars = /^([a-zA-Z0-9-]+)$/g

The first Regex pattern is vulnerable to ReDoS which makes the fix insufficient.

To check whether a Regex is vulnerable or not, you can use:

• https://github.com/substack/safe-regex
• https://redos-checker.surge.sh/

[JamieSlome]

@Richienb - thank you for your submission!

We would love to see more of the contributions in the future! 🍰

If you have any questions, get in touch!

[huntr-helper]

Sorry Richienb, we enjoyed reviewing your fix but it has not been selected this time. If this bounty has not been closed, please feel free to try again with a new pull request!

We appreciate your effort and look forward to reviewing more of your fixes in the future! 🔨😎