This module has a vulnerable regexp introduced in 2012 (7952e25a).
http-apps/fs.js
var rangesExpression = /^\s*bytes\s*=\s*(\d*\s*-\s*\d*\s*(?:,\s*\d*\s*-\s*\d*\s*)*)$/;
I don't see any defensive code protecting user input from reaching this regexp.
It is vulnerable to REDOS as follows:
{"pumpPairs":[{"pump":",\t-","prefix":"bytes=-"}],"suffix":"-,0\t"}
i.e. "prefix" + "pump a bunch of times" + "suffix".
The blow-up is exponential: 27 pumps blocks the event loop for 10 seconds.
Karen (CCd) is from Snyk.io and can help you with the vulnerability disclosure process.
Let me know if you have any questions.
I have some for you:
- Had you heard of REDOS before receiving this email?
- If so, when and how did you learn about it?
- Are you interested in a link to my tools to help detect REDOS in your projects? I'll be releasing them soon.
MDN is a good starting place for info on REDOS
- https://docs.microsoft.com/en-us/dotnet/standard/base-types/backtracking-in-regular-expressions
- https://docs.microsoft.com/en-us/dotnet/standard/base-types/best-practices#Backtracking
hthetiot
commented
6 years ago