Vulnerable Regular Expression
See original GitHub issueThe following regular expression used in the “o” formatter is vulnerable to ReDoS:
/\s*\n\s*/
The slowdown is moderately low: for 50.000 characters around 2 seconds matching time. However, I would still suggest one of the following:
- remove the regex,
- anchor the regex,
- limit the number of characters that can be matched by the repetition,
- limit the input size.
If needed, I can provide an actual example showing the slowdown.
Issue Analytics
- State:
- Created 6 years ago
- Reactions:6
- Comments:9 (5 by maintainers)
Top Results From Across the Web
Regular expression Denial of Service - ReDoS
The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may ......
Read more >ReDoS - Wikipedia
A regular expression denial of service (ReDoS) is an algorithmic complexity attack that produces a denial-of-service by providing a regular expression ...
Read more >Regular Expression Denial of Service (ReDoS) in scss-tokenizer
The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they ...
Read more >How to protect against regex denial-of-service (ReDoS) attacks
Learn some tips to help you safeguard regular expressions against denial-of-service (DoS) attacks, known as ReDoS attacks.
Read more >Regex Vulnerabilities - ADMIN Magazine
Regular expressions are invaluable for checking user input, but a vulnerability could make them ripe for exploitation. One important paradigm in software ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Confirmed, regressed in
6ab9525c9841b656d996e521cf86192d5647483a
a long while ago.Will push a fix, thank you for the report @yaniv-checkmarx @Eden-checkmarx. Apologies for the delay until now.
Hi @yaniv-checkmarx, I’ve been focused on other things the last few weeks. Apologies. I’ll take a look within the next week to see if I can validate.