Open huntr-helper opened 4 years ago
If you know of a way to change the regular expression to not have catastrophic backtracking, we'd certainly accept a patch. But note that this is not a security vulnerability in Benchmark.js. For example, it's also possible to benchmark the snippet while (true);
, which has the same "DoS" effect. It's up to the application that uses Benchmark.js to ensure it's not run with untrusted content or, in this case, with untrusted options.
@mathiasbynens - re: the backtracking, we will keep the bug bounty up on https://huntr.dev and review some of the suggestions provided by the security community! 🍰
This issue has been generated on-behalf of snoopysecurity (https://huntr.dev/app/users/snoopysecurity)
Vulnerability Description
It is possible to insert an evil regex as part of benchmark options such as setup, fn, fnArg ,teardown which can be used to conduct denial of service attacks benchmarkjs. This is possible because the regex use to check
use strict
string allows multiple repetitions of '***//' which allows Catastrophic Backtracking.Steps To Reproduce:
Simple PoC
This is a PoC of the extracted regex use to simply demonstrate that the ReDoS is possible. Benchmark is used here simply to measure time
Package PoC
This PoC demonstrates the malicious regex being inserted as part of potential user input.This hangs
Bug Bounty
We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded :moneybag:? Go to https://huntr.dev/