Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More regex vulnerabilities #633

Open
eistrati opened this issue Mar 9, 2018 · 0 comments
Open

More regex vulnerabilities #633

eistrati opened this issue Mar 9, 2018 · 0 comments
Assignees
@ddimitrioglo
Labels
enhancement

Comments

@eistrati
Copy link
Contributor

eistrati commented Mar 9, 2018

Vulnerability 1:

{
   "pattern" : "(ip[honead]+)(?:.*os\\s([\\w]+)*\\slike\\smac|;\\sopera)",
   "filesIn" : [
      [
         "src/deep-framework/browser/framework.js"
      ]
   ],
   "stringLenFor10Sec" : 41,
   "attackFormat" : {
      "suffix" : "mao\tlike",
      "pumpPairs" : [
         {
            "pump" : "aa",
            "prefix" : "ipaos\ta"
         }
      ]
   },
   "blowupCurve" : {
      "type" : "EXP",
      "parms" : [
         1.68252152799622e-05,
         1.02277083501163
      ],
      "r2" : 0.999112531966309
   },
   "nPumpsFor10Sec" : "13"
}

Vulnerability 2:

{
   "pattern" : "mozilla.+\\(mobile;.+gecko.+firefox",
   "filesIn" : [
      [
         "src/deep-framework/browser/framework.js"
      ]
   ],
   "stringLenFor10Sec" : 14501,
   "attackFormat" : {
      "suffix" : "e(",
      "pumpPairs" : [
         {
            "pump" : "(mobile;a",
            "prefix" : "mozillaa"
         },
         {
            "pump" : "geckoa",
            "prefix" : "a"
         }
      ]
   },
   "nPumpsFor10Sec" : "966",
   "blowupCurve" : {
      "type" : "POWER",
      "parms" : [
         6.58962531661688e-08,
         2.74365114787988
      ],
      "r2" : 0.99755470117338
   }
}

Vulnerability 3:

{
   "pattern" : "(mozilla)\\/([\\w\\.]+).+rv\\:.+gecko\\/\\d+",
   "filesIn" : [
      [
         "src/deep-framework/browser/framework.js"
      ]
   ],
   "stringLenFor10Sec" : 5327,
   "attackFormat" : {
      "pumpPairs" : [
         {
            "pump" : "a",
            "prefix" : "mozilla/a"
         },
         {
            "pump" : "rv:a",
            "prefix" : "a"
         }
      ],
      "suffix" : "l."
   },
   "blowupCurve" : {
      "type" : "POWER",
      "parms" : [
         1.27067150194932e-07,
         2.61514694922589
      ],
      "r2" : 0.995405928298896
   },
   "nPumpsFor10Sec" : "1063"
}

Vulnerability 4:

{
   "pattern" : "android.+(hm[\\s\\-_]*note?[\\s_]*(?:\\d\\w)?)\\s+build",
   "filesIn" : [
      [
         "src/deep-framework/browser/framework.js"
      ]
   ],
   "stringLenFor10Sec" : 64340,
   "attackFormat" : {
      "pumpPairs" : [
         {
            "pump" : "\t",
            "prefix" : "androidahm\tnote\t"
         }
      ],
      "suffix" : "b\t"
   },
   "nPumpsFor10Sec" : "64322",
   "blowupCurve" : {
      "type" : "POWER",
      "parms" : [
         1.42254726119814e-08,
         1.8422559977878
      ],
      "r2" : 0.996761065166856
   }
}

Vulnerability 5:

{
   "pattern" : "^[A-Za-z](?:[A-Za-z0-9._-]|-)*$",
   "filesIn" : [
      [
         "src/deep-framework/browser/framework.js"
      ]
   ],
   "stringLenFor10Sec" : 32,
   "attackFormat" : {
      "pumpPairs" : [
         {
            "pump" : "-",
            "prefix" : "A"
         }
      ],
      "suffix" : "!"
   },
   "blowupCurve" : {
      "type" : "EXP",
      "parms" : [
         0.000230682530164219,
         0.356215203799924
      ],
      "r2" : 0.991807543245278
   },
   "nPumpsFor10Sec" : "30"
}

Vulnerability 6:

{
   "pattern" : "^@\\s*([^:]+)\\s*:\\s*([^\\s]+)\\s*$",
   "filesIn" : [
      [
         "src/deep-framework/browser/framework.js",
         "src/deep-kernel/lib/ContainerAware.js"
      ]
   ],
   "stringLenFor10Sec" : 87870,
   "attackFormat" : {
      "pumpPairs" : [
         {
            "pump" : "a",
            "prefix" : "@\t"
         },
         {
            "pump" : "\t",
            "prefix" : "a"
         }
      ],
      "suffix" : "\t:a\t:"
   },
   "blowupCurve" : {
      "type" : "POWER",
      "parms" : [
         2.24677968476133e-08,
         1.86259910857765
      ],
      "r2" : 0.996784917991378
   },
   "nPumpsFor10Sec" : "43931"
}

Vulnerability 7:

{
   "pattern" : "^(\\/?|)([\\s\\S]*?)((?:\\.{1,2}|[^\\/]+?|)(\\.[^.\\/]*|))(?:[\\/]*)$",
   "filesIn" : [
      [
         "src/deep-framework/browser/framework.js"
      ]
   ],
   "stringLenFor10Sec" : 43935,
   "attackFormat" : {
      "suffix" : "/.",
      "pumpPairs" : [
         {
            "pump" : "a",
            "prefix" : "/a"
         }
      ]
   },
   "nPumpsFor10Sec" : "43931",
   "blowupCurve" : {
      "type" : "POWER",
      "parms" : [
         5.64878779220729e-08,
         1.7829628306126
      ],
      "r2" : 0.99471235433996
   }
}

Vulnerability 8:

{
   "pattern" : "^\\s*(.+?)\\s*=\\s*(.+?)\\s*$",
   "filesIn" : [
      [
         "src/deep-framework/browser/framework.js"
      ]
   ],
   "stringLenFor10Sec" : 283027,
   "attackFormat" : {
      "suffix" : "a",
      "pumpPairs" : [
         {
            "pump" : "a",
            "prefix" : "\t"
         },
         {
            "pump" : "\t",
            "prefix" : "a"
         },
         {
            "pump" : "a",
            "prefix" : "\t=\t"
         },
         {
            "pump" : "\t",
            "prefix" : "a"
         }
      ]
   },
   "nPumpsFor10Sec" : "70755",
   "blowupCurve" : {
      "type" : "POWER",
      "parms" : [
         2.09375729529965e-08,
         1.79391473054338
      ],
      "r2" : 0.995769564360116
   }
}

Vulnerability 9:

{
   "pattern" : "(trident).+rv[:\\s]([\\w\\.]+).+like\\sgecko",
   "filesIn" : [
      [
         "src/deep-framework/browser/framework.js"
      ]
   ],
   "stringLenFor10Sec" : 70771,
   "attackFormat" : {
      "suffix" : "eca$",
      "pumpPairs" : [
         {
            "pump" : "a",
            "prefix" : "tridentarv\ta"
         }
      ]
   },
   "blowupCurve" : {
      "type" : "POWER",
      "parms" : [
         2.55157424049271e-08,
         1.77828402839188
      ],
      "r2" : 0.994352138766184
   },
   "nPumpsFor10Sec" : "70755"
}

Vulnerability 10:

{
   "pattern" : "(kf[A-z]+)\\sbuild\\/[\\w\\.]+.*silk\\/",
   "filesIn" : [
      [
         "src/deep-framework/browser/framework.js"
      ]
   ],
   "stringLenFor10Sec" : 70769,
   "attackFormat" : {
      "pumpPairs" : [
         {
            "pump" : "a",
            "prefix" : "kfa\tbuild/a"
         }
      ],
      "suffix" : "u[s"
   },
   "blowupCurve" : {
      "type" : "POWER",
      "parms" : [
         1.1536974868772e-08,
         1.8462246890808
      ],
      "r2" : 0.996401068706911
   },
   "nPumpsFor10Sec" : "70755"
}

Vulnerability 11:

{
   "pattern" : "android.+(mi[\\s\\-_]*(?:one|one[\\s_]plus)?[\\s_]*(?:\\d\\w)?)\\s+build",
   "filesIn" : [
      [
         "src/deep-framework/browser/framework.js"
      ]
   ],
   "stringLenFor10Sec" : 2353,
   "attackFormat" : {
      "suffix" : "u",
      "pumpPairs" : [
         {
            "pump" : "\t",
            "prefix" : "androidami\t"
         },
         {
            "pump" : "\t",
            "prefix" : "\t"
         }
      ]
   },
   "nPumpsFor10Sec" : "1170",
   "blowupCurve" : {
      "type" : "POWER",
      "parms" : [
         1.44373344247649e-07,
         2.56482058190623
      ],
      "r2" : 0.992904825966048
   }
}

Vulnerability 12:

{
   "pattern" : "version\\/([\\w\\.]+).+?(mobile\\s?safari|safari)",
   "filesIn" : [
      [
         "src/deep-framework/browser/framework.js"
      ]
   ],
   "stringLenFor10Sec" : 85628,
   "attackFormat" : {
      "pumpPairs" : [
         {
            "pump" : "a",
            "prefix" : "version/a"
         }
      ],
      "suffix" : "e\tms"
   },
   "blowupCurve" : {
      "type" : "POWER",
      "parms" : [
         3.12095204481713e-09,
         1.93112352101979
      ],
      "r2" : 0.996034182634448
   },
   "nPumpsFor10Sec" : "85615"
}

Vulnerability 13:

{
   "pattern" : "^<(?:(?:(?:\\.\\.\\/)*|\\/?)(?:[\\w-]+(?:\\/[\\w-]+)+)?[\\w-]+\\.h|[a-z]\\w*)>",
   "filesIn" : [
      [
         "docs-api/deep-di/script/prettify/prettify.js",
         "docs-api/deep-core/script/prettify/prettify.js",
         "docs-api/deep-db/script/prettify/prettify.js",
         "docs-api/deep-validation/script/prettify/prettify.js",
         "docs-api/deep-notification/script/prettify/prettify.js",
         "docs-api/deep-fs/script/prettify/prettify.js",
         "docs-api/deep-event/script/prettify/prettify.js",
         "docs-api/deep-security/script/prettify/prettify.js",
         "docs-api/deep-cache/script/prettify/prettify.js",
         "docs-api/deep-search/script/prettify/prettify.js",
         "docs-api/deep-kernel/script/prettify/prettify.js",
         "docs-api/deep-resource/script/prettify/prettify.js",
         "docs-api/deep-log/script/prettify/prettify.js",
         "docs-api/deep-asset/script/prettify/prettify.js"
      ]
   ],
   "stringLenFor10Sec" : 70765,
   "attackFormat" : {
      "pumpPairs" : [
         {
            "pump" : "a",
            "prefix" : "<../a/a"
         }
      ],
      "suffix" : "A/a"
   },
   "nPumpsFor10Sec" : "70755",
   "blowupCurve" : {
      "type" : "POWER",
      "parms" : [
         1.37161477989705e-08,
         1.83115156063407
      ],
      "r2" : 0.996410817892168
   }
}

Vulnerability 14:

{
   "pattern" : "(opera\\s[mobiletab]+).+version\\/([\\w\\.-]+)",
   "filesIn" : [
      [
         "src/deep-framework/browser/framework.js"
      ]
   ],
   "stringLenFor10Sec" : 70763,
   "attackFormat" : {
      "pumpPairs" : [
         {
            "pump" : "a",
            "prefix" : "opera\ta"
         }
      ],
      "suffix" : "\t"
   },
   "nPumpsFor10Sec" : "70755",
   "blowupCurve" : {
      "type" : "POWER",
      "parms" : [
         1.09443542461353e-08,
         1.85015784256676
      ],
      "r2" : 0.996265430202465
   }
}

Vulnerability 15:

{
   "pattern" : "rv\\:([\\w\\.]+).*(gecko)",
   "filesIn" : [
      [
         "src/deep-framework/browser/framework.js"
      ]
   ],
   "stringLenFor10Sec" : 70764,
   "attackFormat" : {
      "pumpPairs" : [
         {
            "pump" : "a",
            "prefix" : "rv:a"
         }
      ],
      "suffix" : "e$gec"
   },
   "blowupCurve" : {
      "type" : "POWER",
      "parms" : [
         2.23205788055452e-08,
         1.79017060487476
      ],
      "r2" : 0.994750122414602
   },
   "nPumpsFor10Sec" : "70755"
}




Vuln 16:

{
   "pattern" : "^\\s*at (?:((?:\\[object object\\])?.+) )?\\(?((?:file|ms-appx|https?|webpack|blob):.*?):(\\d+)(?::(\\d+))?\\)?\\s*$",
   "filesIn" : [
      [
         "src/deep-framework/browser/framework.js"
      ]
   ],
   "stringLenFor10Sec" : 148797,
   "attackFormat" : {
      "pumpPairs" : [
         {
            "pump" : " blob:",
            "prefix" : "\tat [object object]a"
         }
      ],
      "suffix" : "o"
   },
   "nPumpsFor10Sec" : "24796",
   "blowupCurve" : {
      "type" : "POWER",
      "parms" : [
         5.56713861838268e-08,
         1.8807830913603
      ],
      "r2" : 0.997684933689693
   }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ddimitrioglo ddimitrioglo

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eistrati @ddimitrioglo