Menu
I just installed nodejs in a server and a basic npm install shows a lot of messages like this:
$ npm install
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful-fs@^4.0.0 as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.
npm WARN deprecated [email protected]: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful-fs@^4.0.0 as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.
npm WARN prefer global [email protected] should be installed with -g
Note the message appearing to the right:
npm WARN ... or higher to avoid a RegExp DoS issue
^^^^^^^^^^^^^^^^^^^^^^^^^^^
In my local server, I was already using minimatch 3.0.3. However, since the server was not using the last version of node, this is new to me and started to investigate:
This issue being reported in npm's github and mentions to it in other questions. In general, it gets solved by upgrading the version of minimatch to at least 3.0.2.
However, I wonder what is this RegExp DoS issue? Is there any specific regex that was allowing a DoS attack through minimatch? I cannot imagine how this could happen and don't want to reproduce it, but I fail to find more documentation and minimatch's Github list of issues does not have any trace of it.
From the releases pages I see the only commit for the 3.0.2 release, in which basically the regex syntax is being encapsulated (I am not familiar enough with JavaScript to follow all of it to the last tiny detail).
701
Alternatively, if a Regex itself is affected by a user input, the attacker can inject an Evil Regex, and make the system vulnerable. In every layer of the WEB there are Regular Expressions, that might contain an Evil Regex.
An attacker can then cause a program using a Regular Expression (Regex) to enter these extreme situations and then hang for a very long time. The Regex naïve algorithm builds a Nondeterministic Finite Automaton (NFA) , which is a finite state machine where for each pair of state and input symbol there may be several possible next states.
But for aaaaaaaaaaaaaaaaX there are 65536 possible paths, and the number is double for each additional a. This is an extreme case where the naïve algorithm is problematic, because it must pass on many paths to find a non-matching input. The root-cause of the above example is in a Regex engine feature called backtracking .
Examples 1 Vulnerable Regex in online repositories. 2 Web application attack. You are done! 3 ReDoS via Regex Injection. The following example checks if the username is part of the password entered by the user. If... More ...
From the commit you link to (https://github.com/isaacs/minimatch/commit/6944abf9e0694bd22fd9dad293faa40c2bc8a955):
The test added in the commit is making a regex like this:
var exploit = '!(' + genstr(1024 * 15, '\\') + 'A)'
That is creating a string starting '!(', then 1024*15 copies of \, then 'A)'. That must be the DoS condition.
This line
tail = tail.replace(/((?:\\{2}){0,64})(\\?)\|/g, function (_, $1, $2) {
is probably the one that was choking.
196
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
