Skip to content

fix(rtrim): remove regex to prevent ReDOS attack#1738

Merged
profnandaa merged 1 commit intovalidatorjs:masterfrom
tux-tn:hotfix/rtrim
Nov 1, 2021
Merged

fix(rtrim): remove regex to prevent ReDOS attack#1738
profnandaa merged 1 commit intovalidatorjs:masterfrom
tux-tn:hotfix/rtrim

Conversation

@tux-tn
Copy link
Member

@tux-tn tux-tn commented Sep 27, 2021
edited
Loading

This PR fixes a potential ReDOS in rtrim sanitizer. A try has been made in #1603 to fix the same vulnerability but it looks like we failed to prevent it.

The new implementation is not based on regex and is inspired by Steven Levithan's blog post and trim package implementation.

Thanks to @yetingli for discovering the vulnerability and huntr.dev for reporting it

Checklist

  • PR contains only changes related; no stray files, etc.

@codecov
Copy link

codecov bot commented Sep 27, 2021

Codecov Report

Merging #1738 (b21879c) into master (c899b31) will not change coverage.
The diff coverage is 100.00%.

Impacted file tree graph

@@            Coverage Diff            @@
##            master     #1738   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files          102       102           
  Lines         2015      2020    +5     
  Branches       454       454           
=========================================
+ Hits          2015      2020    +5
Impacted Files Coverage Δ
src/lib/rtrim.js 100.00% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c899b31...b21879c. Read the comment docs.

ezkemboi
ezkemboi reviewed Sep 29, 2021
View reviewed changes
src/lib/rtrim.js
return str.replace(pattern, '');
}
// Use a faster and more safe than regex trim method https://blog.stevenlevithan.com/archives/faster-trim-javascript
let strIndex = str.length - 1;
Copy link
Member

@ezkemboi ezkemboi Sep 29, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am wondering why this is not in the else statement, but I might less understand that because we have done return already.

Copy link
Member Author

@tux-tn tux-tn Sep 29, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's exactly that. If an if block contains a return statement, the else block is unnecessary and the instructions after the block will only be executed when the if condition is not met!

@tux-tn tux-tn requested a review from profnandaa November 1, 2021 05:25
@profnandaa
Copy link
Member

profnandaa commented Nov 1, 2021

@tux-tn -- sorry missed on this one, will get it in for the release. Thanks!

@profnandaa profnandaa merged commit 496fc8b into validatorjs:master Nov 1, 2021
@profnandaa profnandaa mentioned this pull request Nov 1, 2021
Closed
@tux-tn tux-tn deleted the hotfix/rtrim branch November 1, 2021 21:52
This was referenced Nov 11, 2021
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ezkemboi ezkemboi ezkemboi left review comments

@profnandaa profnandaa profnandaa approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tux-tn @profnandaa @ezkemboi