search

ecomfe / fecs

Front End Code Style Suite
http://fecs.baidu.com/
643 stars 115 forks source link

Potential Regular Expression Denial of Service (ReDoS) in valid-var-jsdoc #362

Open yetingli opened 4 years ago

yetingli commented 4 years ago

Type of Issue Potential Regular Expression Denial of Service (ReDoS)

Description The vulnerable regular expressions are located in

https://github.com/ecomfe/fecs/blob/6b01e8fc808e450de6fd2fc24cb9aacd58ba5ef6/lib/js/rules/valid-var-jsdoc.js#L28

https://github.com/ecomfe/fecs/blob/6b01e8fc808e450de6fd2fc24cb9aacd58ba5ef6/lib/js/rules/valid-var-jsdoc.js#L36

The ReDOS vulnerabilities can be exploited with the following string AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA_

You can execute the following code to reproduce ReDos

var rule = require('../../../../lib/js/rules/valid-var-jsdoc');
var RuleTester = require('eslint').RuleTester;

var ruleTester = new RuleTester({parser: 'babel-eslint'});

ruleTester.run('valid-var-jsdoc', rule, {
    invalid: [
        'var AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA_ = 1;',
        'const AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA_ = 1;',
    ],
});

I think you can limit the input length or modify this regex.

yetingli commented 4 years ago

Hi, For the CONSTPATTERN, I am willing to suggest that you replace `/^[A-Z]([A-Z\d$]+?)[A-Z\d$]$/with/^A-Z[A-Z\d$]$/`

For the PASCAL_PATTERN, you can replace /^([A-Z][a-zA-Z\d$]+)+$/ with /^([A-Z][a-zA-Z\d$]+)$/

These are equivalent fixes and the fixed regexes are safe.