Headline
GHSA-cr84-xvw4-qx3c: Inefficient Regular Expression Complexity in shescape
Impact
This impacts users that use shescape to escape arguments:
- for the Unix shell Bash, or any not-officially-supported Unix shell;
- using the
escapeorescapeAllfunctions with theinterpolationoption set totrue.
An attacker can cause polynomial backtracking in terms of the input string length due to a Regular Expression in shescape that is vulnerable to Regular Expression Denial of Service (ReDoS). Example:
import * as shescape from "shescape";
/* 1. Prerequisites */
const options = {
interpolation: true,
// and
shell: "/bin/bash",
// or
shell: "some-not-officially-supported-shell",
// or
shell: undefined, // Only if the system's default shell is bash or an unsupported shell.
};
/* 2. Attack */
let userInput = '{,'.repeat(150_000); // polynomial backtracking
/* 3. Usage */
shescape.escape(userInput, options);
// or
shescape.escapeAll([userInput], options);
Patches
This bug has been patched in v1.6.1 which you can upgrade to now. No further changes required.
Workarounds
Alternatively, a maximum length can be enforced on input strings to shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself.
References
For more information
- Comment on commit 552e8ea
- Open an issue at https://github.com/ericcornelissen/shescape/issues (New issue > Question > Get started)
Impact
This impacts users that use shescape to escape arguments:
- for the Unix shell Bash, or any not-officially-supported Unix shell;
- using the escape or escapeAll functions with the interpolation option set to true.
An attacker can cause polynomial backtracking in terms of the input string length due to a Regular Expression in shescape that is vulnerable to Regular Expression Denial of Service (ReDoS). Example:
import * as shescape from "shescape";
/* 1. Prerequisites */ const options = { interpolation: true, // and shell: "/bin/bash", // or shell: "some-not-officially-supported-shell", // or shell: undefined, // Only if the system’s default shell is bash or an unsupported shell. };
/* 2. Attack */ let userInput = '{,’.repeat(150_000); // polynomial backtracking
/* 3. Usage */ shescape.escape(userInput, options); // or shescape.escapeAll([userInput], options);
Patches
This bug has been patched in v1.6.1 which you can upgrade to now. No further changes required.
Workarounds
Alternatively, a maximum length can be enforced on input strings to shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself.
References
- Shescape commit 552e8ea
- Shescape Release v1.6.1
For more information
- Comment on commit 552e8ea
- Open an issue at https://github.com/ericcornelissen/shescape/issues (New issue > Question > Get started)
References
- GHSA-cr84-xvw4-qx3c
Related news
The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function.