shgysk8zer0 / node-http

A JavaScript library that provides various utilities for working with HTTP
https://npmjs.com/package/@shgysk8zer0/http
MIT License
1 stars 0 forks source link

Fix code scanning alert - Polynomial regular expression used on uncontrolled data #2

Open shgysk8zer0 opened 1 year ago

shgysk8zer0 commented 1 year ago

Tracking issue for:

Some regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length n is proportional to nk or even 2n. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service ("DoS") attack by crafting an expensive input string for the regular expression to match.

The regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.

shgysk8zer0 commented 1 year ago

I'm not sure this can be fixed. Maybe somewhat improved, and any dev implementing the module could address this by checking the length of the headers and body, but in order to be spec compliant I have to have some things of arbitrary length.

shgysk8zer0 commented 1 year ago

Parsing of multipart/form-data this way is no longer required in node >= 20 since I can just throw the headers & body into Request and use await req.formData().

The function is being deprecated and will be removed in an upcoming version.