You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The RA application’s client-side areas operate with an inefficient
regular expression, which may ultimately lead to a client-side Denial-of-Service
(ReDoS). The general composition, in combination with the presence of non-greedy
quantifiers and multiple wildcards within the matchWord regular expression, was
deemed subpar due to backtracking, thus resulting in exponential complexity. This
renders the process vulnerable in the event a larger set of matched characters are
handled. As a consequence, the application could be forced into performing excessive
calculations, which will overload the running process.
This issue is imported from pivotal - Originaly created at Nov 6, 2023 by Peter Havekes
The RA application’s client-side areas operate with an inefficient
regular expression, which may ultimately lead to a client-side Denial-of-Service
(ReDoS). The general composition, in combination with the presence of non-greedy
quantifiers and multiple wildcards within the matchWord regular expression, was
deemed subpar due to backtracking, thus resulting in exponential complexity. This
renders the process vulnerable in the event a larger set of matched characters are
handled. As a consequence, the application could be forced into performing excessive
calculations, which will overload the running process.
Affected file:
Stepup-RA/src/Surfnet/StepupRa/RaBundle/Resources/public/js/moment/src/lib/parse/
regex.js
Affected code:
export var matchWord = /[0-9]['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF
uFDF0-\uFFEF]+|[\u0600-\u06FF/]+(\s?[\u0600-\u06FF]+){1,2}/i;
Solution
Limit the length of the matching strings
The text was updated successfully, but these errors were encountered: