html-parse-stringify2 icon indicating copy to clipboard operation
html-parse-stringify2 copied to clipboard

Published 20 hours ago verified publisher icon rayd

Regular Expression Denial of Service possible

Open andyedwardsibm opened this issue 3 years ago • 7 comments

https://snyk.io/vuln/SNYK-JS-HTMLPARSESTRINGIFY2-1079307 has been raised for a ReDoS vulnerability, along with CVE-2021-23346. The vulnerability is at https://github.com/rayd/html-parse-stringify2/blob/dbf026f9010a14167e5a9e8589464f660233e446/lib/parse.js#L2

There is a recent fix in the original repo this was forked from. Could the same fix be applied here?

andyedwardsibm avatar Mar 08 '21 10:03 andyedwardsibm

i'm sort of wondering if this repo is sorta abandoned or even if it's sort of relevant? as per the description, This could be temporary - I'll gladly drop this if activity picks back up on the original repo. while the original has got it fixed..

dnsmob avatar Mar 10 '21 11:03 dnsmob

I fear you're right

The CVE is "applicable", as the following command does not return in a timely manner...

node -e "const p=require('./index.js'); p.parse(\"<\!'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''\!\"); console.log('done')"

Replacing https://github.com/rayd/html-parse-stringify2/blob/dbf026f9010a14167e5a9e8589464f660233e446/lib/parse.js#L2 with /(?:<!--[\S\s]*?-->|<(?:"[^"]*"|'[^']*'|[^'">])+>)/g returns in milliseconds.

I'd offer a PR in the hope that this repo is still maintained, but I can't get the test case in https://github.com/HenrikJoreteg/html-parse-stringify/commit/c7274a48e59c92b2b7e906fedf9065159e73fe12 to ever fail. For some reason, running under test, the RegEx fails to match much more quickly than when calling the parse code directly :confused:

For now, I guess that anyone else that searches for this CVE will end up here as well

andyedwardsibm avatar Mar 10 '21 18:03 andyedwardsibm

i did the same and tests on this repo fail to match the html tag -- of course, it's not a "tag", it thinks it's valid <''>. so this test

    var tag = "<!''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''!"
    t.deepEqual(parseTag(tag), {
        type: 'tag',
        attrs: {},
        name: '',
        voidElement: false,
        children: []
    });

expects name to be \'\' which is kinda silly and probably means that that regex doesnt really do the job.

i did a hot swap of this module with node-html-parser in react-i18next as it has a parse function too, but it needs to be compiled to work as a dependency for me. on the bright side, this node parser doesnt have vulns 😃

dnsmob avatar Mar 10 '21 22:03 dnsmob

Just want to check what you mean above when you say

this node parser doesnt have vulns

If I run the following snippet, it consumes a CPU at 100% and doesn't return, therefore html-parse-stringify2 is vulnerable to the RegEx DoS attack...

require('html-parse-stringify2').parse("<!'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''!")

andyedwardsibm avatar Mar 11 '21 09:03 andyedwardsibm

i meant node-html-parser doesnt have vulnerabilities and on a hot swap it seems to work (but tbh i havent checked the source code to see if it could be used as a replacement for html-parse-stringify2, i just did a simple test).

dnsmob avatar Mar 11 '21 11:03 dnsmob

Ah gotcha - thanks :smiley:

andyedwardsibm avatar Mar 11 '21 15:03 andyedwardsibm

node-html-parser 2.0.1 and 2.0.2 cannot be used via npm unfortunately. Reason: https://github.com/HenrikJoreteg/html-parse-stringify/issues/42

kachkaev avatar Mar 19 '21 19:03 kachkaev