Fixed ReDoS (Regex Denial of Service)

[mufeedvh]

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-node-dns-sync

⚙️ Description *

The project node-dns-sync was validating hostnames with a regex vulnerable to ReDoS (Regex Denial of Service).

💻 Technical Description *

The implemented Regex pattern to validate hostnames is vulnerable to ReDoS:

/^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]).)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9-]*[A-Za-z0-9])$/

Using a long string to make it pass through this regex will lead to Denial of Service.

🐛 Proof of Concept (PoC) *

Refer: skoranga#5

🔥 Proof of Fix (PoF) *

As the used Regex is perfect to validate a hostname but just vulnerable to ReDoS, I implemented node-re2 instead of the JavaScript RegExp() function as re2 can convert a vulnerable Regex pattern to a safe one preventing any backtracking regular expressions/attacks.

📚 Reference:

• https://www.npmjs.com/package/re2#standard-features
• https://stackoverflow.com/questions/106179/regular-expression-to-match-dns-hostname-or-ip-address

👍 User Acceptance Testing (UAT)

Replaced the usage of RegExp() function with a safer regex binding node-re2.

[Mik317]

Good fix !!!

Cheers,
Mik

[huntr-helper]

Congratulations mufeedvh - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section. Your bounty is on its way - keep hunting!