ReDoS Vulnerability, src/version/get-tags

[mbaraniak-exodus]

Description: The matches function defined in the src/version/get-tags.ts:4 is unsafely constructing the Regex expression based on the supplied packageName and tag

function matches(tag: string, packageName: string): boolean {
  return new RegExp(`@[^/]+/${packageName}@`).test(tag)
}

The attacker can construct and execute Regex with exponential execution time, leading to ReDoS attacks.

The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression (Regex) to enter these extreme situations and then hang for a very long time.

https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

Steps to reproduce:

>>> cat index.js
function matches(tag, packageName) {
  return new RegExp(`@[^/]+/${packageName}@`).test(tag);
}

console.log(matches("@a/aaaaaaaaaaaaaaaaaaaaaaaaaaaab@", "(a|a)+"));

>>> time node index.js
false
node index.js  13.88s user 0.01s system 99% cpu 13.935 total

Remediation:

Validate and sanitise packageName and tag parameters for any Regex special characters. It is recommended to use an allow list approach with [a-zA-Z_\-0-9@/]+

[sparten11740]

@mbaraniak-exodus only package name needs validating, right? tag is not used to construct the regex

[sparten11740]

thanks for the detailed vulnerability reports btw, love them!

[mbaraniak-exodus]

@mbaraniak-exodus only package name needs validating, right? tag is not used to construct the regex

Yes, only the package is used to create the regex. The tag is on what to run it. I would still recommend doing some basic validation for the tag as well (length check, etc.)