MitocGroup/deep-framework

Regular expression vulnerability with xmlbuilder dependency

Open

#632 opened on Mar 9, 2018

View on GitHub
 (0 comments) (0 reactions) (1 assignee)HTML (538 stars) (75 forks)batch import
enhancementhelp wanted

Description

This project seems to have bundled code from the xmlbuilder library, and it contains a Regular expression Denial of Service (ReDoS)* vulnerability. This was fixed in the upstream xmlbuilder v9.0.7, you can see the upstream commit here: https://github.com/oozcitak/xmlbuilder-js/commit/bbf929a8a54f0d012bdc44cbe622fdeda2509230

The vulnerablity originates from the following Regular Expression (/^A-Za-z*$/), in this function:

XMLStringifier.prototype.xmlEncoding = function(val) {
      val = '' + val || '';
      if (!val.match(/^[A-Za-z](?:[A-Za-z0-9._-]|-)*$/)) {
        throw new Error("Invalid encoding: " + val);
      }    
      return val; 
    };

Here is an attack string (JSON-formatted):

{"pumpPairs":[{"pump":"-A","prefix":"AA"}],"suffix":"\u0000"}

A string composed of the indicated prefix, the "pump" concatenated 30 times, and then the suffix, takes about 10 seconds to evaluate, and will double for each additional concatenation of the pump string.

The blow-up is exponential-time, so just truncating the input may not help. The 10-second string is under 100 characters long.

  • ReDoS, also known as Catastrophic Backtracking, catastrophic backtracking is when the regex engine takes more than linear time to scan a string. There are lots of resources about it on the web. I have included some starting points below.

Catastrophic backtracking is particularly problematic if two conditions are met:

  1. The module is used by server processes, and
  2. The regex can be reached by user input.

Contributor guide

Tech stack
javascriptnodejs
Domain
full stacksecurity
Issue type
security
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
2
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
blocked
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
JavaScriptnpm
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
Investigate the project's bundled xmlbuilder code. The vulnerability is in the `xmlEncoding` function. Update the bundled xmlbuilder to version 9.0.7 or later, or replace the regex with a safer alternative. Ensure no other occurrences of the vulnerable regex exist in the codebase.
Regular expression vulnerability with xmlbuilder dependency · MitocGroup/deep-framework#632 | Good First Issue