Denial of Service in isEmail validator #152
Comments
|
The current version of validator is vulnerable to this attack. I have confirmed it and can provide an exploitable example. I am currently using a friend of mines custom ReDOS tool to test all the regexs in this library for issues. Looks like isEmail is vulnerable as well. |
|
@damianb the author's supervisor, Andres Ojamaa, contacted me privately about the issue and including the following proof of concept v = require('validator');
s = '';
for (var i = 0; i < 100; i++) {
s += '-/';
t = Date.now();
url = 'http://example.org/' + s + '@';
try {
v.check(url).isUrl();
} catch (e) { }
console.log('i = ' + i + ", len: " + url.length + ", time: " + (Date.now() - t) + " ms");
}The denial of service attack that's described in the paper was fixed in a643b4f by replacing the RFC1738 regexp with another, however the replacement regular expression still features at least one repeated subexpression that includes a repeated pattern, i.e. it's probably still prone to a similar attack. |
|
@ProZachJ no need to post an example. If the regex contains |
|
Any update on addressing this issue in an upcoming release? |
|
@evilpacket not yet. What's required is a hand-written parser that doesn't use RegExp's (or at least not the evil patterns). The isURL RegExp is huge so this would require a lot of work. |
|
Some of these regexes are overly-complicated. Multiline regexes are probably one of my favorite features of CoffeeScript, but the KISS principle probably applies here. |
chriso
changed the title
|
Just stumbled upon a simple example that hangs the checker: Takes several seconds to complete |
|
Can anyone confirm whether or not |
|
It appears is |
chriso
changed the title
|
Is the module still vulnerable ? |
|
No, URL was fixed and isEmail was replaced with a non vulnerable method.
|
|
Just to be sure I will run it through my redos tool this afternoon and let you know
|
|
okay, great ! |
|
All the regex patterns in that file got the green light.
|
|
Perfect. I think it's then safe to close the issue ? Thanks ! Le 31/07/2015 22:05, Zach Jones a écrit :
|
|
I can't find any more issues either. If anyone can find an exploit with the latest version of the library, please let me know. |
|
@chriso The following code breaks the [email protected] v = require 'validator'
email = '"[email protected] via example.com" "[email protected]'
v.isEmail emailValidating this locked up the CPU, it ran for several hours and never finished. |
|
Thanks for the report @schaitanya. |
|
@schaitanya the fix is in |
|
@chriso Awesome. Many thanks for the prompt reply. |
|
Nice fix, you are nicer than I. I'da just tossed anything with quotes or spaces back as 'not an email address'.
|
Not sure how reliable this is, but it doesn't appear that the author ever bothered to responsibly report the issue: http://lab.cs.ttu.ee/dl93 ( PDF Warning )
You'll want to check 2.4.2.1 of it where the author provides an example of a claimed Denial of Service vector against this module - not sure if it's applicable after the change to fix issue #109 (commit a643b4f) but I figured it should be addressed after seeing the paper pop up on reddit.
The text was updated successfully, but these errors were encountered: