search

viliusle / miniPaint

online image editor
http://viliusle.github.io/miniPaint/
Other
2.6k stars 607 forks source link

Regular Expression DoS vulnerability #247

Closed yinxiL closed 3 years ago

yinxiL commented 3 years ago

We are working on the ReDoS problem and detected 1 vulnerable regex(es) from your repository.

1: url\s*\(((?:[^)(]|\((?:[^)(]+|\([^)(]*\))*\))*)\) in miniPaint/dist/bundle.js

Please try the following:

var pattern = "url\\s*\\(((?:[^)(]|\\((?:[^)(]+|\\([^)(]*\\))*\\))*)\\)";
var input = "url((\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b";
var re = new RegExp(pattern);
var matched = input.match(re);

We didn’t create a pull request because we're not sure if these cases are possible to take place in your program, we also do not understand the functionality of these regexes as you do. Thank you for your understanding.

Giwayume commented 3 years ago

There's no backend in this application, this does not apply.

viliusle commented 3 years ago

It will still appear in old dist/* files, but will be gone after next version release.