Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the "RegExp DoS issue"?

I just installed nodejs in a server and a basic npm install shows a lot of messages like this:

$ npm install
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful-fs@^4.0.0 as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.
npm WARN deprecated [email protected]: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful-fs@^4.0.0 as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.
npm WARN prefer global [email protected] should be installed with -g

Note the message appearing to the right:

npm WARN ... or higher to avoid a RegExp DoS issue
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^

In my local server, I was already using minimatch 3.0.3. However, since the server was not using the last version of node, this is new to me and started to investigate:

This issue being reported in npm's github and mentions to it in other questions. In general, it gets solved by upgrading the version of minimatch to at least 3.0.2.

However, I wonder what is this RegExp DoS issue? Is there any specific regex that was allowing a DoS attack through minimatch? I cannot imagine how this could happen and don't want to reproduce it, but I fail to find more documentation and minimatch's Github list of issues does not have any trace of it.

From the releases pages I see the only commit for the 3.0.2 release, in which basically the regex syntax is being encapsulated (I am not familiar enough with JavaScript to follow all of it to the last tiny detail).

like image 701
fedorqui 'SO stop harming' Avatar asked Oct 17 '16 10:10

fedorqui 'SO stop harming'


People also ask

Can an evil regex be injected into a regular expression?

Alternatively, if a Regex itself is affected by a user input, the attacker can inject an Evil Regex, and make the system vulnerable. In every layer of the WEB there are Regular Expressions, that might contain an Evil Regex.

What is a regular expression attack?

An attacker can then cause a program using a Regular Expression (Regex) to enter these extreme situations and then hang for a very long time. The Regex naïve algorithm builds a Nondeterministic Finite Automaton (NFA) , which is a finite state machine where for each pair of state and input symbol there may be several possible next states.

How many possible paths does regex have?

But for aaaaaaaaaaaaaaaaX there are 65536 possible paths, and the number is double for each additional a. This is an extreme case where the naïve algorithm is problematic, because it must pass on many paths to find a non-matching input. The root-cause of the above example is in a Regex engine feature called backtracking .

What are some examples of vulnerable regex attacks?

Examples 1 Vulnerable Regex in online repositories. 2 Web application attack. You are done! 3 ReDoS via Regex Injection. The following example checks if the username is part of the password entered by the user. If... More ...


Video Answer


1 Answers

From the commit you link to (https://github.com/isaacs/minimatch/commit/6944abf9e0694bd22fd9dad293faa40c2bc8a955):

The test added in the commit is making a regex like this:

var exploit = '!(' + genstr(1024 * 15, '\\') + 'A)'

That is creating a string starting '!(', then 1024*15 copies of \, then 'A)'. That must be the DoS condition.

This line

tail = tail.replace(/((?:\\{2}){0,64})(\\?)\|/g, function (_, $1, $2) {

is probably the one that was choking.

like image 196
Chris Lear Avatar answered Oct 18 '22 23:10

Chris Lear