Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix potential ReDoS #37

Merged
merged 1 commit into from
Sep 10, 2021
Merged

Fix potential ReDoS #37

merged 1 commit into from
Sep 10, 2021

Conversation

yetingli
Copy link
Contributor

@yetingli yetingli commented Sep 9, 2021

No description provided.

@Qix-
Copy link
Member

Qix- commented Sep 9, 2021

Hi, normally we'd appreciate an email prior to submitting security patches, please keep this in mind as it's a pretty typical part of responsible disclosure.

Can you also provide some context for the redos? What sorts of input will cause issues?

@yetingli
Copy link
Contributor Author

yetingli commented Sep 9, 2021

Thanks for reminding. Sorry, I can't find your email. Could you tell me your email?

@Qix-
Copy link
Member

Qix- commented Sep 9, 2021

Well cat is out of the bag now, just write here. You can find emails in the commit messages of repositories by the way.

@yetingli
Copy link
Contributor Author

Proof of Concept

import ansiRegex from 'ansi-regex';


for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = "\u001B["+";".repeat(i*10000);
    ansiRegex().test(attack_str)
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}

The ReDOS is mainly due to the sub-patterns [[\\]()#;?]* and (?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*

@Qix- Qix- merged commit 8d1d7cd into chalk:main Sep 10, 2021
@Qix-
Copy link
Member

Qix- commented Sep 10, 2021

Thank you for the reproduction and the patch, was able to reproduce.

I'll push out an update immediately.

@Qix-
Copy link
Member

Qix- commented Sep 10, 2021

Published as 6.0.1 - thanks again!

@sindresorhus
Copy link
Member

Thanks. It would have been good with a regression test to ensure we don't accidentally regress the regex in the future.

Qix- pushed a commit that referenced this pull request Sep 14, 2021
@carnil
Copy link

carnil commented Sep 17, 2021

CVE-2021-3807 was assigned for this issue.

@Qix-
Copy link
Member

Qix- commented Sep 17, 2021

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - 7.5 High

Yet another example of how laughably broken CVE scores are.

@mariusbutuc
Copy link

@yetingli first of all, big thanks for the contribution! 🙏🏼

Secondly, thanks to this PR I've also learned today about security policies within repos/github and noticed this too: https://github.com/chalk/ansi-regex/security/policy —perhaps this can help smoothen things out in the future. 😊

MylesBorins pushed a commit to MylesBorins/ansi-regex that referenced this pull request Nov 3, 2021
MylesBorins pushed a commit to MylesBorins/ansi-regex that referenced this pull request Nov 3, 2021
MylesBorins added a commit to MylesBorins/ansi-regex that referenced this pull request Nov 3, 2021
This is a backport of chalk@8d1d7cd

the test suite on the 3.0.0 branch is broken but I've manually verified
that no additional tests are broken and that this patch fixes the REDOS
@Qix- Qix- mentioned this pull request Nov 3, 2021
Qix- pushed a commit that referenced this pull request Mar 12, 2022
Qix- pushed a commit that referenced this pull request Mar 27, 2022
Copy link

@heatherleeann heatherleeann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@chalk chalk locked as resolved and limited conversation to collaborators Nov 21, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants