ajv-formats icon indicating copy to clipboard operation
ajv-formats copied to clipboard
verified publisher icon ajv-validator

Use 're2' package to prevent ReDoS?

Open phormio opened this issue 5 years ago • 3 comments

According to the Ajv documentation:

some formats that ajv-formats package implements use regular expressions that can be vulnerable to ReDoS attack

Having you considered using the re2 package to eliminate this risk? According to its documentation:

RE2 was designed and implemented with an explicit goal of being able to handle regular expressions from untrusted users without risk. One of its primary guarantees is that the match time is linear in the length of the input string.

phormio avatar Dec 12 '20 20:12 phormio

Yeah, we are thinking about the same to secure Ajv. It would be cool to have such an option.

shumkov avatar Jan 25 '21 12:01 shumkov

This option probably belongs in ajv - this package both uses formats in some functions and also provides regular expressions that ajv uses directly, so it would have to somehow use different branches depending on ajv option...

epoberezkin avatar Mar 27 '21 09:03 epoberezkin

Make sense. Probably, this issue should be moved to ajv repo.

Actually, the RE2 npm package is almost a drop-in replacement for RegExp constructor. We are planning to monkey-patch (something like global.RegExp = RE2) ajv on the first iteration.

shumkov avatar Mar 27 '21 15:03 shumkov