Fix potential ReDoS by yetingli · Pull Request #37 · chalk/ansi-regex (original) (raw)
Hi, normally we'd appreciate an email prior to submitting security patches, please keep this in mind as it's a pretty typical part of responsible disclosure.
Can you also provide some context for the redos? What sorts of input will cause issues?
Thanks for reminding. Sorry, I can't find your email. Could you tell me your email?
Well cat is out of the bag now, just write here. You can find emails in the commit messages of repositories by the way.
Proof of Concept
import ansiRegex from 'ansi-regex';
for(var i = 1; i <= 50000; i++) { var time = Date.now(); var attack_str = "\u001B["+";".repeat(i*10000); ansiRegex().test(attack_str) var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") }
The ReDOS is mainly due to the sub-patterns [[\\]()#;?]* and (?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*
Thank you for the reproduction and the patch, was able to reproduce.
I'll push out an update immediately.
Published as 6.0.1 - thanks again!
Thanks. It would have been good with a regression test to ensure we don't accidentally regress the regex in the future.
Qix- pushed a commit that referenced this pull request
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - 7.5 High
Yet another example of how laughably broken CVE scores are.
This was referenced
Oct 13, 2021
This was referenced
Oct 28, 2021
MylesBorins pushed a commit to MylesBorins/ansi-regex that referenced this pull request
MylesBorins pushed a commit to MylesBorins/ansi-regex that referenced this pull request
MylesBorins added a commit to MylesBorins/ansi-regex that referenced this pull request
This is a backport of chalk@8d1d7cd
the test suite on the 3.0.0 branch is broken but I've manually verified that no additional tests are broken and that this patch fixes the REDOS
Qix- pushed a commit that referenced this pull request
Qix- pushed a commit that referenced this pull request
This was referenced
May 21, 2022
This was referenced
May 6, 2022
This was referenced
May 16, 2022
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
[ Show hidden characters]({{ revealButtonHref }})