search

ajv-validator / ajv-formats

JSON Schema format validation for Ajv v8+
https://ajv.js.org
MIT License
191 stars 37 forks source link

Use 're2' package to prevent ReDoS? #7

Open phormio opened 3 years ago

phormio commented 3 years ago

According to the Ajv documentation:

some formats that ajv-formats package implements use regular expressions that can be vulnerable to ReDoS attack

Having you considered using the re2 package to eliminate this risk? According to its documentation:

RE2 was designed and implemented with an explicit goal of being able to handle regular expressions from untrusted users without risk. One of its primary guarantees is that the match time is linear in the length of the input string.

shumkov commented 3 years ago

Yeah, we are thinking about the same to secure Ajv. It would be cool to have such an option.

epoberezkin commented 3 years ago

This option probably belongs in ajv - this package both uses formats in some functions and also provides regular expressions that ajv uses directly, so it would have to somehow use different branches depending on ajv option...

shumkov commented 3 years ago

Make sense. Probably, this issue should be moved to ajv repo.

Actually, the RE2 npm package is almost a drop-in replacement for RegExp constructor. We are planning to monkey-patch (something like global.RegExp = RE2) ajv on the first iteration.