Open clarkio opened 5 years ago
clarkio
commented
5 years ago Thanks to the suggestion from @notmyself on stream today, we should consider using the library minimist to parse commands in chat instead of using a regular expression to avoid this.
Minimist: https://github.com/substack/minimist
clarkio
commented
5 years ago After checking out minimist I don't think it will work well for parsing chat messages in our scenario.
Also after reading up a little bit more from this OWASP article on ReDoS it seems we don't have any regex patterns that would be vulnerable to such an attack: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
We should create a test at least to validate the regex pattern doesn't introduce changes to it that are susceptible to ReDoS.
Is this something the extension is vulnerable to since we're using a regular expression to parse the command messages or are we ok as is? What do we need to do or take into consideration to mitigate the risk of regular expression attacks on the extension?