Headline

GHSA-ffmh-x56j-9rc3: Regular Expression Denial of Service in jquery-validation

Summary

The issue is the same as CVE-2021-43306: An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the jquery-validation npm package, when an attacker is able to supply arbitrary input to the url2 method

The fix for CVE-2021-43306, which was suggested by me (@erik-krogh), was incomplete. I didn’t know at the time that the fix was incomplete, but the ReDoS analysis in CodeQL has improved since then.

Details Issue: ReDoS in url2.js (GHSL-2022-039)

Below is a PoC that contains the relevant regular expression. Run following script with node and you will notice that it doesn’t terminate.

const reg = /^(?:(?:(?:https?|ftp):)?\/\/)(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u00a1-\uffff][a-z0-9\u00a1-\uffff_-]{0,62})?[a-z0-9\u00a1-\uffff]\.?)+(?:[a-z\u00a1-\uffff]{2,}\.?))(?::\d{2,5})?(?:[/?#]\S*)?$/i;

const str = "//" + "00".repeat(50)

console.log(reg.test(str));
...

The bad fix was identified using CodeQL, and the alert is visible on LGTM.com: https://lgtm.com/projects/g/jquery-validation/jquery-validation/snapshot/fec195de32da23c813b08a6a786a7f1cb6567069/files/src/additional/url2.js?sort=name&dir=ASC&mode=heatmap#x9013eb6c276f2ced:1 Impact

This issue may lead to DoS. Remediation

The new vulnerability has since been fixed in the gist that the regular expression was copy-pasted from: https://gist.github.com/dperini/729294#file-regex-weburl-js-L62 So the fix is just to copy-paste that new version (copy pasted below).

/^(?:(?:(?:https?|ftp):)?\/\/)(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u00a1-\uffff][a-z0-9\u00a1-\uffff_-]{0,62})?[a-z0-9\u00a1-\uffff]\.)+(?:[a-z\u00a1-\uffff]{2,}\.?))(?::\d{2,5})?(?:[/?#]\S*)?$/i

2 years ago

ghsa

Open in Source

#vulnerability #web #dos #nodejs #js #git

Summary

The fix for CVE-2021-43306, which was suggested by me (@erik-krogh), was incomplete. I didn’t know at the time that the fix was incomplete, but the ReDoS analysis in CodeQL has improved since then.

Details
Issue: ReDoS in url2.js (GHSL-2022-039)

Below is a PoC that contains the relevant regular expression. Run following script with node and you will notice that it doesn’t terminate.

const reg = /^(?:(?:(?:https?|ftp):)?\/\/)(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u00a1-\uffff][a-z0-9\u00a1-\uffff_-]{0,62})?[a-z0-9\u00a1-\uffff]\.?)+(?:[a-z\u00a1-\uffff]{2,}\.?))(?::\d{2,5})?(?:[/?#]\S*)?$/i;

const str = “//” + "00".repeat(50)

console.log(reg.test(str)); …

This issue may lead to DoS.
Remediation

/^(?:(?:(?:https?|ftp):)?\/\/)(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u00a1-\uffff][a-z0-9\u00a1-\uffff_-]{0,62})?[a-z0-9\u00a1-\uffff]\.)+(?:[a-z\u00a1-\uffff]{2,}\.?))(?::\d{2,5})?(?:[/?#]\S*)?$/i

References