Skip to content

Commit

Permalink
fix ReDos in hwb() parser (low-severity)
Browse files Browse the repository at this point in the history
Discovered by Yeting Li, c/o Colin Ife via Snyk.io.

A ReDos (Regular Expression Denial of Service) vulnerability
was responsibly disclosed to me via email by Colin on
Mar 5 2021 regarding an exponential time complexity for
linearly increasing input lengths for `hwb()` color strings.

Strings reaching more than 5000 characters would see several
milliseconds of processing time; strings reaching more than
50,000 characters began seeing 1500ms (1.5s) of processing time.

The cause was due to a the regular expression that parses
hwb() strings - specifically, the hue value - where
the integer portion of the hue value used a 0-or-more quantifier
shortly thereafter followed by a 1-or-more quantifier.

This caused excessive backtracking and a cartesian scan,
resulting in exponential time complexity given a linear
increase in input length.

Thank you Yeting Li and Colin Ife for bringing this to my
attention in a secure, responsible and professional manner.

A CVE will not be assigned for this vulnerability.
  • Loading branch information
Qix- committed Mar 5, 2021
1 parent 60f3f66 commit 0789e21
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions index.js
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,7 @@ cs.get.hsl = function (string) {
return null;
}

var hsl = /^hsla?\(\s*([+-]?(?:\d*\.)?\d+)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/;
var hsl = /^hsla?\(\s*([+-]?(?:\d{0,3}\.)?\d+)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/;
var match = string.match(hsl);

if (match) {
Expand All @@ -150,7 +150,7 @@ cs.get.hwb = function (string) {
return null;
}

var hwb = /^hwb\(\s*([+-]?\d*[\.]?\d+)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/;
var hwb = /^hwb\(\s*([+-]?\d{0,3}(?:\.\d+)?)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/;
var match = string.match(hwb);

if (match) {
Expand Down

0 comments on commit 0789e21

Please sign in to comment.