Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[VULNERABILITY] Parsing a long String will result in 100% CPU usage and `String.test` will never finish
See original GitHub issueIMPORTANT UPDATE (8/15/20)
Per my comment below, I have released my own package, url-regex-safe, which resolves this issue, and all (solvable) existing issues and pull requests here in this GitHub repository. The new package has 100% test coverage and is available at https://github.com/niftylettuce/url-regex-safe. It has more sensible defaults as well.
Example:
> require('url-regex')({ strict: false }).test('018137.113.215.4074.138.129.172220.179.206.94180.213.144.175250.45.147.1364868726sgdm6nohQ')
The only way to exit out is to SIGINT.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:7
- Comments:12 (1 by maintainers)
Top Results From Across the Web
Regular Expression Denial of Service (ReDoS) and ... - Snyk
Suddenly it takes nearly two seconds to complete the test—over ten times as long as it took to test a valid string! The...
Read more >CVE-2021-20038..42: SonicWall SMA 100 Multiple ... - Rapid7
This is problematic because, when used in a string passed to system , it will act as a terminator. There are a variety...
Read more >large string data parsing causing high-cpu usage
String parsing always generates 100% cpu usage, you are asking it do do real work. Finding out why you lose 40-30% should be...
Read more >Known Exploited Vulnerabilities Catalog | CISA
The vulnerability is due to improper validation of string input from certain fields in Cisco Discovery Protocol messages. An attacker could exploit this ......
Read more >Very high CPU usage on fish 3.2 when displaying large strings
If you have one less character in the string it does not cause the high CPU-usage. One thing I noticed when testing fish...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
This issue is fixed in my maintained and modern version of this package at https://github.com/niftylettuce/url-regex-safe. You should be able to switch from
url-regextourl-regex-safenow. See the updated list of options as I added some new ones, and changed a few defaults to more sensible ones (since not everyone is parsing Markdown for instance).Hi, I am communicating on behalf of Snyk’s Security Team. We have verified this vulnerability and reached out to try and discuss this issue further with the maintainers several times. As of now we have yet to get a response, and due to this vulnerability already being exposed publicly, we feel the responsible thing to do is to move to official disclosure.
We have internally assigned a CVE to this vulnerability and will be looking to publish it in our public database in the next 24 hours - if any of the maintainers wish to reach out to us and discuss or wish for us to wait - please do reach out either here or to our disclosure email report@snyk.io, as we would be very happy to discuss with the maintainer team before publishing.
George, Snyk Security Team