Regular expression injection fix #87
Conversation
# Sanitize User Input:
The code now escapes special characters in the versionedRegexString before creating the RegExp object. This prevents malicious users from injecting special characters that could modify the behavior of the regular expression.
The replace(/[-[\]{}()*+?.,\\^$|#\s]/g, "\\$&") line escapes all special characters that have meaning in regular expressions.
# Example:
Let's say a user inputs the following string as versionedRegex: (a*|.*)
Without sanitization, this could lead to a Denial of Service attack due to the exponential time complexity of the regex.
After sanitization, the regex becomes \(a\*\|\.\*\), which is safe and prevents the attack.
# Important:
Security: Unsanitized user input in regular expressions can lead to serious security vulnerabilities, including:
Denial of Service (DoS): Malicious regexes can cause the application to consume excessive resources, leading to slowdowns or crashes.
Code Injection: In some cases, attackers could inject code into the application through crafted regexes.
Reliability: Sanitizing user input ensures that the regular expressions behave as expected and don't cause unexpected errors or crashes.
You're probably gonna want to fence that, as GitHub is eating your sanitization. 😉 It should say: Let's say a user inputs the following string as versionedRegex: Without sanitization, this could lead to a Denial of Service attack due to the exponential time complexity of the regex. After sanitization, the regex becomes |
|
Taking a step back, though... I'm confused. Doesn't this change also effectively disable the regular expression? Also, the regular expression configured by the user — whatever form it takes — is used in the author's own workflows. If they create an expression with exponential complexity, the only person they'll be DoSing is themselves. (Well, and GitHub, but they'll get over it. Like they'd even notice one wedged runner.) I'm not sure how critical it is to bend over backwards protecting people from themselves. If they aren't allowed to mess things up, they'll be cheated of the chance to learn from their mistakes! |
Sanitize User Input:
The code now escapes special characters in the versionedRegexString before creating the RegExp object. This prevents malicious users from injecting special characters that could modify the behavior of the regular expression.
The replace(/[-[]{}()*+?.,\^$|#\s]/g, "\$&") line escapes all special characters that have meaning in regular expressions.
Example:
Let's say a user inputs the following string as versionedRegex: (a*|.*)
Without sanitization, this could lead to a Denial of Service attack due to the exponential time complexity of the regex.
After sanitization, the regex becomes (a*|.*), which is safe and prevents the attack.
Important:
Security: Unsanitized user input in regular expressions can lead to serious security vulnerabilities, including:
Denial of Service (DoS): Malicious regexes can cause the application to consume excessive resources, leading to slowdowns or crashes.
Code Injection: In some cases, attackers could inject code into the application through crafted regexes.
Reliability: Sanitizing user input ensures that the regular expressions behave as expected and don't cause unexpected errors or crashes.