Security Fix for Regular Expression Denial of Service (ReDoS) - huntr.dev #2088

2020-08-21T11:32:00Z

huntr-helper commented

2020-08-21 11:32:00 +00:00

(Migrated from github.com)

https://huntr.dev/users/bbeale has fixed the Regular Expression Denial of Service (ReDoS) vulnerability 🔨. bbeale has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-maven-sheetjs

⚙️ Description *

Implemented an alternative regex engine that is not vulnerable to ReDoS attacks caused by catastrophic backtracking.

💻 Technical Description *

From the readme in Google's repo:

RE2 is a fast, safe, thread-friendly alternative to backtracking regular expression engines like those used in PCRE, Perl, and Python. It is a C++ library.

Unlike the native NodeJS regex engine, which is vulnerable to denial of service attacks when a malicious user supplies a very long URL, RE2 lacks the backreference and lookahead capabilities required for this attack, making it safer to use on user supplied input. Given that this package does not accept user supplied regular expressions, and the existing regex was not making use of these operations, I imported the Node bindings for RE2, which use almost identical syntax to the native RegExp.

Similar to the mitigation approach I applied here.

🔥 Proof of Fix (PoF) * / 👍 User Acceptance Testing (UAT)

A number of the unit tests were failing prior to my fix. I updated those as well.

https://huntr.dev/users/bbeale has fixed the Regular Expression Denial of Service (ReDoS) vulnerability 🔨. bbeale has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this? Get involved at https://huntr.dev/ Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/sheetjs/pull/1 GitHub Issue | https://github.com/SheetJS/sheetjs/issues/1904 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/maven/sheetjs/1/README.md ### User Comments: ### 📊 Metadata * #### Bounty URL: https://www.huntr.dev/bounties/1-maven-sheetjs ### ⚙️ Description * Implemented an alternative regex engine that is not vulnerable to ReDoS attacks caused by catastrophic backtracking. ### 💻 Technical Description * From the readme in Google's repo: RE2 is a fast, safe, thread-friendly alternative to backtracking regular expression engines like those used in PCRE, Perl, and Python. It is a C++ library. Unlike the native NodeJS regex engine, which is vulnerable to denial of service attacks when a malicious user supplies a very long URL, RE2 lacks the backreference and lookahead capabilities required for this attack, making it safer to use on user supplied input. Given that this package does not accept user supplied regular expressions, and the existing regex was not making use of these operations, I imported the Node bindings for RE2, which use almost identical syntax to the native RegExp. Similar to the mitigation approach I applied [here](https://github.com/418sec/urlregex/pull/1). ### 🔥 Proof of Fix (PoF) * / 👍 User Acceptance Testing (UAT) A number of the unit tests were failing prior to my fix. I updated those as well. ![sheetjs-tests](https://user-images.githubusercontent.com/9686813/90817456-d8c9e480-e2fb-11ea-9354-124d8d7d0c33.png)

SheetJSDev commented

2020-08-21 16:35:05 +00:00

(Migrated from github.com)

The referenced issue was already resolved. If there's something new here, please email us (hello@sheetjs.com)