Vulnerable Regular Expression
See original GitHub issueThe following regular expression used in the mime lookup is vulnerable to ReDoS:
/.*[\.\/\\]/
The slowdown is moderately low: for 50.000 characters around 2 seconds matching time. However, I would still suggest one of the following:
- remove the regex,
- anchor the regex,
- limit the number of characters that can be matched by the repetition,
- limit the input size.
If needed, I can provide an actual example showing the slowdown.
Issue Analytics
- State:
- Created 6 years ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Regular expression Denial of Service - ReDoS
The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may ......
Read more >ReDoS - Wikipedia
A regular expression denial of service (ReDoS) is an algorithmic complexity attack that produces a denial-of-service by providing a regular expression ...
Read more >Regular Expression Denial of Service (ReDoS) in scss-tokenizer
The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they ...
Read more >Regex Vulnerabilities - ADMIN Magazine
Regular expressions are invaluable for checking user input, but a vulnerability could make them ripe for exploitation. One important paradigm in software ...
Read more >How to protect against regex denial-of-service (ReDoS) attacks
Learn some tips to help you safeguard regular expressions against denial-of-service (DoS) attacks, known as ReDoS attacks.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
npm publish
ed in v1.4.1 and 2.0.3I believe I’m able to repro the issue with the code below. Looks like complexity is ~O(N^2).
Yields the following output