-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerable Regular Expressions in omi #571
Comments
This was referenced Nov 5, 2022
This was referenced Dec 25, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Type of Issue
Potential Regex Denial of Service (ReDoS)
Description
Here are three regular expressions with ReDos vulnerabilities, as shown below.
regex1 = /( +)[^:]+::/
locationThe ReDOS vulnerability of the regex is mainly due to the sub-pattern
( +)[^:]+
and can be exploited with the following string" " * 5000
It took 44.0 seconds for regex1 to match the malicious string
regex2 = /\bOBTW\s+[\s\S]*?\s+TLDR\b/
locationThe ReDOS vulnerability of the regex is mainly due to the sub-pattern
\s+[\s\S]*?\s+
and can be exploited with the following string"OBTW" + " " * 5000
It took 44.6 seconds for regex2 to match the malicious string
regex3 = /^(#{1,6})[ \t]*(.+?)[ \t]*#*\n+/
location1 location2The ReDOS vulnerability of the regex is mainly due to the sub-pattern
[ \t]*(.+?)[ \t]*
and can be exploited with the following string"#" + " " * 5000
It took 51.4 seconds for regex3 to match the malicious string
I prepared a script that showcases the execution times of the vulnerable regexes as follows.
I am willing to suggest that you limit the input length, modify these regexes or replace these regexes with other codes.
The text was updated successfully, but these errors were encountered: