syntax icon indicating copy to clipboard operation
syntax copied to clipboard

Published 20 hours ago verified publisher icon DmitrySoshnikov

A ReDoS vulnerability exists in grammar.js

Open d1tto opened this issue 2 years ago • 4 comments

The affected code is located in grammar.js-line191. It uses the vulnerable regular expression '(\\.|[^'\\])*'. When the match fails, it will cause catastrophic backtracking. I generate PoC using the python script below

f = open("test.LR0", "w")
f.write("\u0000\\\u0000\\'" * 40000)
f.flush()

then run ./syntax --grammar test.LR0

d1tto avatar Nov 18 '22 09:11 d1tto

Thanks for the report - what's the impact here? Would be great to fix it - and will appreciate a PR for this.

DmitrySoshnikov avatar Nov 18 '22 20:11 DmitrySoshnikov

Thanks for the report - what's the impact here? Would be great to fix it - and will appreciate a PR for this.

Thanks for your reply! The impact here is that, if the user provides the grammar file generated by the python script above, the regex engine will exhaust computing resources and the application will be slow to respond, causing denial-of-service attack. You can read the report related to ReDoS to learn more about it.

d1tto avatar Nov 19 '22 05:11 d1tto

I have submitted a PR, could you take a look?

d1tto avatar Nov 22 '22 07:11 d1tto

Hi @d1tto, thanks for the PR - do we have an existing test for this (or need to add a new one)?

DmitrySoshnikov avatar Nov 22 '22 19:11 DmitrySoshnikov