makenowjust-labs/recheck

Playground report a false postive in fuzz mode

fengkx opened this issue · 4 comments

fengkx commented

What is the problem?

Playground report a false postive in fuzz mode.

Here is the input regex

/(?=(<table))\1(?=(\s*))\2(?<tableAttrs>(?:(?![>])[^])*)(?=(>))\4(?<tableChildren>(?=((?:(?![<])[^])*))\6)(?=(<\/table>))\7/

image

Log:

parse: start
parse: finish
  pattern: /(?=(<table))\1(?=(\s*))\2(?<tableAttrs>(?:(?![>])[^])*)(?=(>))\4(?<tableChildren>(?=((?:(?![<])[^])*))\6)(?=(<\/table>))\7/
fuzz: start (usesAcceleration: false)
fuzz: seeding start (seeder: static)
automaton: EpsNFA construction
     state size: 143
  alphabet size: 10
automaton: OrderedNFA construction
     state size: 39
  alphabet size: 10
fuzz: seeding finish
  size: 260
fuzz: iteration 1
  traces: 100
     max: '<table>\t<' (steps: 29, rate: 3.2222222222222223)
fuzz: attack start (status: limit)
  string: '/' + '<table'.repeat(168) + '<>'.repeat(159) + '<'
fuzz: attack (exponential)
fuzz: attack (polynomial: 4)
fuzz: attack succeeded (status: timeout)
  string: '/' + '<table'.repeat(269) + '<>'.repeat(260) + '<'
recall: code
const re = new RegExp('(?=(<table))\\1(?=(\\s*))\\2(?<tableAttrs>(?:(?![>])[^])*)(?=(>))\\4(?<tableChildren>(?=((?:(?![<])[^])*))\\6)(?=(<\\/table>))\\7', '');
const input = '/' + '<table'.repeat(269) + '<>'.repeat(260) + '<';
const start = Date.now();
re.exec(input);
const end = Date.now();
console.log(Number(end - start).toString());

Run recall code:
image
It seems cost 2ms to run instead of 2s

makenowjust commented

The recall phase does not work on the playground (browser) because it needs to spawn a process.

fengkx commented

The recall phase does not work on the playground (browser) because it needs to spawn a process.

Try run on node.js with RECHECK_BACKEND=native it still report a fuzz vulnerable result. But when I ran the recall code ouput, it takes 16ms to run. I expect it need a longer time to run?

makenowjust commented

Please set recallTimeout explicitly (e.g. check('...', '', { recallTimeout: 2000 })).

fengkx commented

Thanks, that means I need a longer recallTimeout to generate a longer attack string. This library is awesome~