Closed mbaraniak-exodus closed 7 months ago
@mbaraniak-exodus only package name needs validating, right? tag is not used to construct the regex
thanks for the detailed vulnerability reports btw, love them!
@mbaraniak-exodus only package name needs validating, right? tag is not used to construct the regex
Yes, only the package
is used to create the regex. The tag
is on what to run it. I would still recommend doing some basic validation for the tag
as well (length check, etc.)
Description: The
matches
function defined in thesrc/version/get-tags.ts:4
is unsafely constructing the Regex expression based on the suppliedpackageName
andtag
The attacker can construct and execute Regex with exponential execution time, leading to ReDoS attacks.
The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression (Regex) to enter these extreme situations and then hang for a very long time.
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
Steps to reproduce:
Remediation:
Validate and sanitise
packageName
andtag
parameters for any Regex special characters. It is recommended to use an allow list approach with[a-zA-Z_\-0-9@/]+