Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

inefficient regular expression #408

Open
phavekes opened this issue Nov 30, 2024 · 0 comments
Open

inefficient regular expression #408

phavekes opened this issue Nov 30, 2024 · 0 comments

Comments

@phavekes
Copy link
Member

This issue is imported from pivotal - Originaly created at Nov 6, 2023 by Peter Havekes

The RA application’s client-side areas operate with an inefficient
regular expression, which may ultimately lead to a client-side Denial-of-Service
(ReDoS). The general composition, in combination with the presence of non-greedy
quantifiers and multiple wildcards within the matchWord regular expression, was
deemed subpar due to backtracking, thus resulting in exponential complexity. This
renders the process vulnerable in the event a larger set of matched characters are
handled. As a consequence, the application could be forced into performing excessive
calculations, which will overload the running process.

Affected file:

Stepup-RA/src/Surfnet/StepupRa/RaBundle/Resources/public/js/moment/src/lib/parse/
regex.js

Affected code:

export var matchWord = /[0-9]['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF
uFDF0-\uFFEF]+|[\u0600-\u06FF/]+(\s
?[\u0600-\u06FF]+){1,2}/i;

Solution

Limit the length of the matching strings

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: New
Development

No branches or pull requests

1 participant