notevil icon indicating copy to clipboard operation
notevil copied to clipboard

Published 20 hours ago verified publisher icon mmckegg

malicious regular expressions

Open dominictarr opened this issue 9 years ago • 3 comments

This is vunerable to evil regular expressions. It's possible to construct a regular expression that executes in exponential time, which won't look like an obvious infinite loop, but will lock the cpu for a while.

require('notevil')("/((a+)+)b/.test('aaaaaaaaaaaaaaaaaaaaaaaaaaaaa')")

This tricks the regex evaluator into searching for all possible ways to arrange the two nested a groups, (since the string is missing a b at the end it will continue searching, if it had a b it would return as soon as it has found a match)

the simplest way to prevent this is just to block regular expressions with a starheight > 1 (i.e. with nested groups) this may block some non-evil regular expressions, but is much simpler than implementing a regular expression interpreter.

for more detail: http://perlgeek.de/blog-en/perl-tips/in-search-of-an-exponetial-regexp.html

also, @substack has a module for detecting safe regular expressions: https://github.com/substack/safe-regex

dominictarr avatar Mar 19 '15 00:03 dominictarr

i knew this would be a rabbit hole :dizzy_face:

mmckegg avatar Mar 19 '15 00:03 mmckegg

Boom!

aredridel avatar Mar 19 '15 00:03 aredridel

hey it looks like this might do it: https://github.com/aaditmshah/regex you'd just need to add the run time checker... maybe use the native regex engine for safe regular expressions and the interpreted one for unsafe.

dominictarr avatar Mar 19 '15 00:03 dominictarr