-
Notifications
You must be signed in to change notification settings - Fork 209
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerable Regular Expression #92
Comments
Nice find. An actual example will be helpful in verification of a fix. |
Sure, here it is: function genstr(len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var start = process.hrtime();
var tough = require('tough-cookie');
var str = "x" + genstr(50000, ' ') + "x";
var Cookie = tough.Cookie;
var cookie = Cookie.parse(str);
var end = process.hrtime(start);
console.info("Execution time (hr): %ds %dms", end[0], end[1] / 1000000); |
@cristianstaicu remember to start your timer right before your parse operation (i.e. after your require and string generation) for accurate time measurements. Given that node limits header size to 80kb the dos is limited to about 7.3 seconds. At Node Security we consider anything over 1 second to be a valid issue. |
Just fyi, nsp has this on their radar so anyone with |
Indeed. Got the nsp error from our pre-commit hook. But is there a way to overcome it temporarily until a fix for tough-cookie is in place? I'd like to avoid of course disabling entirely the nsp check. |
You could add an exception to your |
@adamwdennis Please fix as our builds are failing and I don't want to whitelist the advisory |
add the following to a
|
Please remove this once this Issue have been fixed and used in the different packages salesforce/tough-cookie#92
Hey Guys, |
While we haven't heard from the maintainers, suggesting limiting the number of whitespaces in the key. |
Snyk is picking this up now too, https://snyk.io/vuln/npm:tough-cookie:20170905 |
Known vulnerability for 16+ days... time to patch guys. |
Once we have #94 issues resolved can someone from @salesforce/tough-cookie-contributors with npm permissions publish an update? |
I apologize for the late pickup of this. I'm closely monitoring this issue and PR now. @inikulin yes I can push an update as soon as we get a fix. |
My team's CI security checks started failing today due to this issue and I'm happy to see that you are on top of it. Thanks for your work on this! It is much appreciated! 👍 |
Published fix as 2.3.3 - will leave this ticket open until I've resolved it with nsp/snyk |
do you know how long it takes nsp to update on their side? |
@mshibl unsure, but I've emailed both nodesecurity and snyk |
We updated Snyk's DB, results should factor in the 2.3.3 fix now. |
Snyk and nodesecurity are both updated. Closing issue. One more apology (can't help it, 🇨🇦 ): sorry for the delay in fixing this folks. I've fixed my notification settings and email filters so this won't happen again. I've been working on a change that removes the problematic regex parsing entirely. Hopefully more on this soon, but a preview is on the Thank you to @cristianstaicu @grnd @inikulin and everyone else (especially for your patience) |
See: https://www.versioneye.com/Node.JS/tough-cookie/2.3.2; salesforce/tough-cookie#97; salesforce/tough-cookie#92. (A large cookie could cause a slowdown.) This is not really necessary since fresh installs or installs using package-lock.json already get the 2.3.3 version, but we might as well.
`request` pulls in `tough-cookie` which recently address a ReDoS vulnerability: salesforce/tough-cookie#92
Latest version of `request` pulls in `tough-cookie` which recently address a ReDoS vulnerability: salesforce/tough-cookie#92
`request` pulls in `tough-cookie` which recently address a ReDoS vulnerability: salesforce/tough-cookie#92
* Winter '20 (API 47.0) prep * 0.6.0 * use node LTS in CI * Prerelease 0.6.1 (#98) * 0.6.1-alpha1 * wip: synthetic shadow dep * wip: add testEnvironment to preset * update yargs for security alert (#90) * update yargs for security alert * fix test * Bump eslint-utils from 1.3.1 to 1.4.2 (#89) Bumps [eslint-utils](https://github.com/mysticatea/eslint-utils) from 1.3.1 to 1.4.2. - [Release notes](https://github.com/mysticatea/eslint-utils/releases) - [Commits](mysticatea/eslint-utils@v1.3.1...v1.4.2) Signed-off-by: dependabot[bot] <[email protected]> * Update input stub to support "autocomplete" property (#92) * Update to include date-style and time-style attributes (#94) * 0.6.1
The following regular expression used for parsing the cookie is vulnerable to ReDoS:
/^(([^=;]+))\s*=\s*([^\n\r\0]*)/
The slowdown is moderately low: for 50.000 characters around 2.5 seconds matching time. However, I would still suggest one of the following:
I noticed there is another bug report regarding the correctness of this regular expression.
If needed, I can provide an actual example showing the slowdown.
The text was updated successfully, but these errors were encountered: