New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix: remove catastrophic backtracking vulnerability #10019
Conversation
42ebc8c
to
7499205
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So it's just the \s*
that's problematic here?
lib/util/interpolate.js
Outdated
return text.replace(/\{\{([^{}]+?)\}\}/g, (fullMatch, term) => { | ||
|
||
// Strip leading and trailing whitespace. | ||
term = term.replace(/^\s+|\s+$/g, ""); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
term.trim()
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Haha! I knew there had to be a function for that.
Change template substitution regex to exclude fields with whitespace. This addresses possible O(n^2) catastrophic backtracking behavior. Very unlikely to be exploited. For eslint#10002.
7499205
to
58ad0af
Compare
A bit more complex than that. The original pattern contains a sub-sequence like this: \s*[^{}]+\s* Because the middle group's character class includes whitespace, it will match a superset of this pattern, which is easier to reason about: \s*\s+\s* If the input contains a long sequence of whitespace, the regex engine has to decide when to move from one \s to the next. The blow-up in this case is O(n^2). In the worst case catastrophic backtracking can be O(2^n). |
It would be helpful if a developer can comment on whether this is a very low-risk security problem or just a potential problem if someone else were to copy/paste later. If a real problem, I will follow up with Snyk.io to get a low-severity vulnerability ID assigned. |
It's an eslint rule config; imo it's the lowest nonzero risk you can get :-) |
I don't think this is realistically exploitable, because only an ESLint rule can provide a string to that regex, and an ESLint rule already can execute arbitrary code. So I'm fine with removing it for performance reasons, but I don't consider this to be a security issue in its current location. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, this seems reasonable and doesn't make things much harder to read. Thanks for the PR!
What is the purpose of this pull request? (put an "X" next to item)
[ ] Documentation update
[X] Bug fix (template)
[ ] New rule (template)
[ ] Changes an existing rule (template)
[ ] Add autofixing to a rule
[ ] Add a CLI option
[ ] Add something to the core
[ ] Other, please explain:
What changes did you make? (Give an overview)
Change template substitution regex to exclude fields with whitespace.
This addresses possible O(n^2) catastrophic backtracking behavior.
The function behavior is unchanged.
Very unlikely to be exploited. For #10002.
Is there anything you'd like reviewers to focus on?
No.