Regular expression vulnerability with xmlbuilder dependency

[eistrati]

This project seems to have bundled code from the xmlbuilder library, and it contains a Regular expression Denial of Service (ReDoS)* vulnerability.
This was fixed in the upstream xmlbuilder v9.0.7, you can see the upstream commit here:
oozcitak/xmlbuilder-js@bbf929a

The vulnerablity originates from the following Regular Expression (/^A-Za-z*$/), in this function:

XMLStringifier.prototype.xmlEncoding = function(val) {
      val = '' + val || '';
      if (!val.match(/^[A-Za-z](?:[A-Za-z0-9._-]|-)*$/)) {
        throw new Error("Invalid encoding: " + val);
      }    
      return val; 
    };   

Here is an attack string (JSON-formatted):

{"pumpPairs":[{"pump":"-A","prefix":"AA"}],"suffix":"\u0000"}

A string composed of the indicated prefix, the "pump" concatenated 30 times, and then the suffix, takes about 10 seconds to evaluate, and will double for each additional concatenation of the pump string.

The blow-up is exponential-time, so just truncating the input may not help.
The 10-second string is under 100 characters long.

• ReDoS, also known as Catastrophic Backtracking, catastrophic backtracking is when the regex engine takes more than linear time to scan a string.
  There are lots of resources about it on the web. I have included some starting points below.

Catastrophic backtracking is particularly problematic if two conditions are met:

1. The module is used by server processes, and
2. The regex can be reached by user input.