Vulnerable Regular Expression #3
Comments
|
jsdom is not meant to be used on untrusted user input, so I don't consider this a big deal. But a pull request replacing this with something better would certainly be welcome, as long as it passes all the tests. |
|
I agree, but then why is this an independent npm module? What about the other users of this module? Can you at least write a sentence in the module description explaining that it should not be applied on untrusted headers? |
|
A pull request is welcome adding such a sentence. |
I'm not sure how realistic this is. I think it would be best to modify the regex in a way that removes this vulnerability. It would help use-cases that do use untrusted input (use-cases that undoubtedly exist today). |
|
There are much worse attacks than a six second slowdown, if you run jsdom on untrusted input. |
The following regular expression used for parsing the user agent is vulnerable to ReDoS:
/^(.*?)\/(.*?)([\t ]*;.*)?$/The slowdown is moderate (for 30,000 characters around 4 seconds matching time). However an attacker can easily control the value of the headers he sends. I would suggest one of the following:
If needed, I can provide an actual example showing the slowdown.
The text was updated successfully, but these errors were encountered: