logdna-agent icon indicating copy to clipboard operation
logdna-agent copied to clipboard
verified publisher icon logdna

fix: Regular expression injection

Open odaysec opened this issue 10 months ago • 1 comments

fix vulnerable in #247

To fix the problem, we need to sanitize the user input before using it to construct the regular expression. The best way to do this is by using the _.escapeRegExp function from the lodash library, which escapes special characters in the input string. This ensures that the user cannot insert characters that have special meaning in regular expressions.

  1. Install the lodash package if it is not already installed.
  2. Import the lodash library in the file.
  3. Use the _.escapeRegExp function to sanitize the config.exclude_regex before constructing the regular expression.

Suggested fixes powered by Zeroday Operation Research LLC.

References

OWASP: Regular expression Denial of Service - ReDoS Wikipedia: ReDoS npm: lodash Common Weakness Enumeration: CWE-730 Common Weakness Enumeration: CWE-400

odaysec avatar Feb 26 '25 11:02 odaysec

Thanks for the PR, this repository is no longer maintained.

c-nixon avatar Feb 26 '25 13:02 c-nixon