The original Identity Server 4 code base has several medium impact security bugs detected by CodeQL scanning.
Description:
Some regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length n is proportional to nk or even 2n. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service ("DoS") attack by crafting an expensive input string for the regular expression to match.
The regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.
Typically, a regular expression is affected by this problem if it contains a repetition of the form r* or r+ where the sub-expression r is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.
Modify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.
Example
For example, assume that we want to embed a user-controlled string accountNumber into a SQL query as part of a string literal. To avoid SQL injection, we need to ensure that the string does not contain un-escaped single-quote characters. The following function attempts to ensure this by doubling single quotes, and thereby escaping them:
function escapeQuotes(s) {
return s.replace("'", "''");
}
As written, this sanitizer is ineffective: if the first argument to replace is a string literal (as in this case), only the first occurrence of that string is replaced.
As mentioned above, the function escapeQuotes should be replaced with a purpose-built sanitization library, such as the npm module sqlstring. Many other sanitization libraries are available from npm and other sources.
If this is not an option, escapeQuotes should be rewritten to use a regular expression with the g ("global") flag instead:
function escapeQuotes(s) {
return s.replace(/'/g, "''");
}
Note that it is very important to include the global flag: s.replace(/'/, "''")without the global flag is equivalent to the first example above and only replaces the first quote.
Inefficient regular expression
The original Identity Server 4 code base has several medium impact security bugs detected by CodeQL scanning.
Description:
Some regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length n is proportional to nk or even 2n. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service ("DoS") attack by crafting an expensive input string for the regular expression to match.
The regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.
Typically, a regular expression is affected by this problem if it contains a repetition of the form r* or r+ where the sub-expression r is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.
Examples
Issues
Recommendation
Modify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.
Example
For example, assume that we want to embed a user-controlled string
accountNumberinto a SQL query as part of a string literal. To avoid SQL injection, we need to ensure that the string does not contain un-escaped single-quote characters. The following function attempts to ensure this by doubling single quotes, and thereby escaping them:As written, this sanitizer is ineffective: if the first argument to
replaceis a string literal (as in this case), only the first occurrence of that string is replaced.As mentioned above, the function
escapeQuotesshould be replaced with a purpose-built sanitization library, such as the npm modulesqlstring. Many other sanitization libraries are available from npm and other sources.If this is not an option,
escapeQuotesshould be rewritten to use a regular expression with theg("global") flag instead:Note that it is very important to include the global flag:
s.replace(/'/, "''")without the global flag is equivalent to the first example above and only replaces the first quote.References