ahmadalfy/gitlab-explorer

Regular expression Denial of Service (ReDoS) in /web_modules/diff2html.js

Closed this issue · 4 comments

Deleted user commented

Regular expression Denial of Service (ReDoS) in /web_modules/diff2html.js low severity

Fixability: we don't have available fix now

Overview:
We found a dangerous regex : ^@@ -(\d+)(?:,\d+)? +(\d+)(?:,\d+)? @@.* it's used by exec, this may cause the program to hang or run out of memory while trying to match the pattern of regex

gitlab-explorer/web_modules/diff2html.js

Line 159 in 9a98cf6

if ((values = /^@@ -(\d+)(?:,\d+)? \+(\d+)(?:,\d+)? @@.*/.exec(line))) {

refrence id: 118615843594298458

What do you want me to do next?
details@shieldfy details
ignore@shieldfy ignore ?

Deleted user commented

Sure, here it is

Regular expression denial of service (ReDoS)

Technology: nodejs
Severity: high
CWE: CWE-400

Overview

The regular expression denial of service (ReDoS)
is an algorithmic complexity attack that produces a denial-of-service by providing a regular expression that takes a very long time to evaluate.

The attack exploits the fact that most regular expression implementations have exponential time worst case complexity: the time taken can grow exponentially in relation to input size

Details

the details of the vulnerabilities , go deep as possible

Problematic code

example of vulnerable code

// Allow only numbers with a suffix of #, for example: 'XXXXXX#'
var regexPattern = /([0-9]+)+\#/;
var testComplyWithRequirements = regexPattern.test(bankRouting)

The regular expression definately vulnerable to redos attack.
If a long enough input is provided it will stall the Node.js process and render it useless (in the background the Node.js process will take 100% cpu until stopped or the regex yields a result (true or false))

example input
91762612117612121123123123123121

Fix Recommendation

Avoid regex that can take alot of time to process ex ( * , + , {1,} ..etc) specially when using grouping

fix

// Allow only numbers with a suffix of #, for example: 'XXXXXX#'
var regexPattern = /[0-9]+\#/;
var testComplyWithRequirements = regexPattern.test(bankRouting)

you can validate the length also before you apply the regex
fix

// Allow only numbers with a suffix of #, for example: 'XXXXXX#'
var regexPattern = /[0-9]+\#/;
if(bankRouting.length > 10 ) return;
var testComplyWithRequirements = regexPattern.test(bankRouting)

References

Stay safe ❤️, The Shieldfy Team

Deleted user commented

Sorry, I don't understand