Skip to content

fix: Avoid a potential ReDoS issue client side in debug mode#30

Open
LeSuisse wants to merge 1 commit into
NixOS:masterfrom
LeSuisse:fix-redos-client-side
Open

fix: Avoid a potential ReDoS issue client side in debug mode#30
LeSuisse wants to merge 1 commit into
NixOS:masterfrom
LeSuisse:fix-redos-client-side

Conversation

@LeSuisse

Copy link
Copy Markdown
Member

This contribution adjusts the debug callback handler to ensure it runs in O(n) and prevent catastrophic backtracking while cleaning up the received string.

const maliciousStr = ' '.repeat(80000) + 'x';

console.log("Start")

// Existing code can lead to O(n^2) -- ReDoS
console.time('existing_ofborg_viewer_code');
maliciousStr.replace(/[\x00\s]+$/g, '');
console.timeEnd('existing_ofborg_viewer_code');

// Adjusted code to enforce O(n) processing
console.time('fixed');
let end = maliciousStr.length;
while (end > 0 && (maliciousStr.charCodeAt(end - 1) === 0 || /\s/.test(maliciousStr[end - 1]))) {
  end--;
}
const cleaned = maliciousStr.slice(0, end);
console.timeEnd('fixed');

// Start
// existing_ofborg_viewer_code: 5.498s
// fixed: 0.038ms

This issue does not really have security consequences:

  • it is a client side issue only, modern browsers will propose to kill the page afte some time
  • it requires to have a debug=1 parameter in the URL which is not something standard
  • burning some CPU cycles can also be achieved with less work by forcing a victim to open pages that would require less work for the same result (e.g. open a GH PR diff view with a large view...)

Assisted-by: issue was spotted by an Anthropic scan (ANT-2026-QKCKJ528)

This contribution adjusts the debug callback handler to ensure it runs
in O(n) and prevent catastrophic backtracking while cleaning up the
received string.

```js
const maliciousStr = ' '.repeat(80000) + 'x';

console.log("Start")

// Existing code can lead to O(n^2) -- ReDoS
console.time('existing_ofborg_viewer_code');
maliciousStr.replace(/[\x00\s]+$/g, '');
console.timeEnd('existing_ofborg_viewer_code');

// Adjusted code to enforce O(n) processing
console.time('fixed');
let end = maliciousStr.length;
while (end > 0 && (maliciousStr.charCodeAt(end - 1) === 0 || /\s/.test(maliciousStr[end - 1]))) {
  end--;
}
const cleaned = maliciousStr.slice(0, end);
console.timeEnd('fixed');

// Start
// existing_ofborg_viewer_code: 5.498s
// fixed: 0.038ms
```

This issue does not really have security consequences:
* it is a client side issue only, modern browsers will propose to kill
  the page afte some time
* it requires to have a `debug=1` parameter in the URL which is not
  something standard
* burning some CPU cycles can also be achieved with less work by forcing
  a victim to open pages that would require less work for the same
  result (e.g. open a GH PR diff view with a large view...)

Assisted-by: issue was spotted by an Anthropic scan (ANT-2026-QKCKJ528)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant