Inefficient Regular Expression Complexity in faisalman/ua-parser-js

Valid

Reported on

Sep 16th 2021

Description

Hello my dear I found another inefficient regular expression in ua-parser-js that have a Polynomial execution time ( not exponential but still dangerous).

Proof of Concept

I create two payloads that you can compare the execution times between them in Regexr provided links.

payload 1

https://regexr.com/65o79

payload 2

https://regexr.com/65o7c if you got error in execution time in Regexr this means that the execution time is greater that 2.5 second.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago
Z-Old
2 years ago

Admin

Emailed the maintainers for you, amammad.

We have contacted a member of the faisalman/ua-parser-js team and are waiting to hear back 2 years ago
Faisal Salman
2 years ago

Maintainer

Hi, thanks for reporting the issue, I have followed the links that you give but I don't see the error in execution time that you mentioned.. Can you provide more details regarding this issue? Thanks

amammad
2 years ago

Researcher

excuse me for my bad explanation

first open this url https://regexr.com/ and use /^\s+|\s+$/g that already placed in your code.

this is a correct input for this regex that have a low time execution and you should copy the spaces too :

fdsfsdffdsfsdffdsfsdffdsfsdffdsfsdffdsfsdffdsfsdf

this is a bad crafted input :

fdsfsdffdsfsdffdsfsdffdsfsdffdsfsdffdsfsdffdsfsdf                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ffffff

if you compare the execution time of this two payloads you can find out that the regex is inefficient.

amammad
2 years ago

Researcher

I mentioned to error because if you face with error in Regexr.com you understand this means the execution time is too much.

amammad
2 years ago

Researcher

I can provide a PoC video just tell me to do that

and If there isn't any problem can I ask you just validate my report? the report will remain confidential until you submit a patch for it.

Faisal Salman
2 years ago

Maintainer

No, that's okay, I also found this article https://blog.stevenlevithan.com/archives/faster-trim-javascript which also says that the approach I'm currently using is slow when working with long strings and the article suggests using two separate replace() as a faster implementation

Faisal Salman validated this vulnerability 2 years ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
amammad
2 years ago

Researcher

OK I hope always you have a secure programming days.

Faisal Salman
2 years ago

Maintainer

https://github.com/faisalman/ua-parser-js/commit/336ce2b9502923fb931615598dfb0baefed04f5d

Do you think this solved the original issue?

amammad
2 years ago

Researcher

I tested it and seems has a good execution time

Jamie Slome
2 years ago

Admin

@maintainer - are you able to confirm the fix against the report?

We can then go ahead and publish a CVE on your behalf.

Thanks! 👏

Faisal Salman
2 months ago

Maintainer

The original fix turns out to be vulnerable as well, which later fixed in https://github.com/faisalman/ua-parser-js/commit/a6140a17dd0300a35cfc9cff999545f267889411

Faisal Salman marked this as fixed in 0.7.33 with commit a6140a 2 months ago
Faisal Salman has been awarded the fix bounty
This vulnerability will not receive a CVE
Faisal Salman published this vulnerability 2 months ago
Faisal Salman
2 months ago

Maintainer

GHSA: GHSA-fhg7-m89q-25r3 CVE: CVE-2022-25927

to join this conversation