A ReDoS vulnerability exists in grammar.js

DmitrySoshnikov / syntax

Syntactic analysis toolkit, language-agnostic parser generator.

MIT License

612 stars 88 forks source link

A ReDoS vulnerability exists in grammar.js #127

Open d1tto opened 1 year ago

d1tto commented 1 year ago

The affected code is located in grammar.js-line191. It uses the vulnerable regular expression '(\\.|[^'\\])*'. When the match fails, it will cause catastrophic backtracking. I generate PoC using the python script below

f = open("test.LR0", "w")
f.write("\u0000\\\u0000\\'" * 40000)
f.flush()

then run ./syntax --grammar test.LR0

DmitrySoshnikov commented 1 year ago

Thanks for the report - what's the impact here? Would be great to fix it - and will appreciate a PR for this.

d1tto commented 1 year ago

Thanks for the report - what's the impact here? Would be great to fix it - and will appreciate a PR for this.

Thanks for your reply! The impact here is that, if the user provides the grammar file generated by the python script above, the regex engine will exhaust computing resources and the application will be slow to respond, causing denial-of-service attack. You can read the report related to ReDoS to learn more about it.

d1tto commented 1 year ago

I have submitted a PR, could you take a look?

DmitrySoshnikov commented 1 year ago

Hi @d1tto, thanks for the PR - do we have an existing test for this (or need to add a new one)?