Security Fix for Regular Expression Denial of Service (ReDoS) - huntr.dev

[huntr-helper]

https://huntr.dev/users/mufeedvh has fixed the Regular Expression Denial of Service (ReDoS) vulnerability 🔨. mufeedvh has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
GitHub Issue | #5
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/node-dns-sync/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-node-dns-sync

⚙️ Description *

The project node-dns-sync was validating hostnames with a regex vulnerable to ReDoS (Regex Denial of Service).

💻 Technical Description *

The implemented Regex pattern to validate hostnames is vulnerable to ReDoS:

/^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]).)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9-]*[A-Za-z0-9])$/

Using a long string to make it pass through this regex will lead to Denial of Service.

🐛 Proof of Concept (PoC) *

Refer: #5

🔥 Proof of Fix (PoF) *

As the used Regex is perfect to validate a hostname but just vulnerable to ReDoS, I implemented node-re2 instead of the JavaScript RegExp() function as re2 can convert a vulnerable Regex pattern to a safe one preventing any backtracking regular expressions/attacks.

📚 Reference:

• https://www.npmjs.com/package/re2#standard-features
• https://stackoverflow.com/questions/106179/regular-expression-to-match-dns-hostname-or-ip-address

👍 User Acceptance Testing (UAT)

Replaced the usage of RegExp() function with a safer regex binding node-re2.

[Richienb]

Instead of using a completely different regex engine, just use is-valid-hostname (not mine).