Security Fix for Regular Expression Denial of Service (ReDoS) - huntr.dev #2088
No reviewers
Labels
No Label
DBF
Dates
Defined Names
Features
Formula
HTML
Images
Infrastructure
Integration
International
ODS
Operations
Performance
PivotTables
Pro
Protection
Read Bug
SSF
SYLK
Style
Write Bug
good first issue
No Milestone
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: sheetjs/sheetjs#2088
Loading…
Reference in New Issue
No description provided.
Delete Branch "master"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
https://huntr.dev/users/bbeale has fixed the Regular Expression Denial of Service (ReDoS) vulnerability 🔨. bbeale has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | https://github.com/418sec/sheetjs/pull/1
GitHub Issue | https://github.com/SheetJS/sheetjs/issues/1904
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/maven/sheetjs/1/README.md
User Comments:
📊 Metadata *
Bounty URL: https://www.huntr.dev/bounties/1-maven-sheetjs
⚙️ Description *
Implemented an alternative regex engine that is not vulnerable to ReDoS attacks caused by catastrophic backtracking.
💻 Technical Description *
From the readme in Google's repo:
RE2 is a fast, safe, thread-friendly alternative to backtracking regular expression engines like those used in PCRE, Perl, and Python. It is a C++ library.
Unlike the native NodeJS regex engine, which is vulnerable to denial of service attacks when a malicious user supplies a very long URL, RE2 lacks the backreference and lookahead capabilities required for this attack, making it safer to use on user supplied input. Given that this package does not accept user supplied regular expressions, and the existing regex was not making use of these operations, I imported the Node bindings for RE2, which use almost identical syntax to the native RegExp.
Similar to the mitigation approach I applied here.
🔥 Proof of Fix (PoF) * / 👍 User Acceptance Testing (UAT)
A number of the unit tests were failing prior to my fix. I updated those as well.
The referenced issue was already resolved. If there's something new here, please email us (hello@sheetjs.com)
Pull request closed