fix: Avoid a potential ReDoS issue client side in debug mode#30
Open
LeSuisse wants to merge 1 commit into
Open
fix: Avoid a potential ReDoS issue client side in debug mode#30LeSuisse wants to merge 1 commit into
LeSuisse wants to merge 1 commit into
Conversation
This contribution adjusts the debug callback handler to ensure it runs
in O(n) and prevent catastrophic backtracking while cleaning up the
received string.
```js
const maliciousStr = ' '.repeat(80000) + 'x';
console.log("Start")
// Existing code can lead to O(n^2) -- ReDoS
console.time('existing_ofborg_viewer_code');
maliciousStr.replace(/[\x00\s]+$/g, '');
console.timeEnd('existing_ofborg_viewer_code');
// Adjusted code to enforce O(n) processing
console.time('fixed');
let end = maliciousStr.length;
while (end > 0 && (maliciousStr.charCodeAt(end - 1) === 0 || /\s/.test(maliciousStr[end - 1]))) {
end--;
}
const cleaned = maliciousStr.slice(0, end);
console.timeEnd('fixed');
// Start
// existing_ofborg_viewer_code: 5.498s
// fixed: 0.038ms
```
This issue does not really have security consequences:
* it is a client side issue only, modern browsers will propose to kill
the page afte some time
* it requires to have a `debug=1` parameter in the URL which is not
something standard
* burning some CPU cycles can also be achieved with less work by forcing
a victim to open pages that would require less work for the same
result (e.g. open a GH PR diff view with a large view...)
Assisted-by: issue was spotted by an Anthropic scan (ANT-2026-QKCKJ528)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This contribution adjusts the debug callback handler to ensure it runs in O(n) and prevent catastrophic backtracking while cleaning up the received string.
This issue does not really have security consequences:
debug=1parameter in the URL which is not something standardAssisted-by: issue was spotted by an Anthropic scan (ANT-2026-QKCKJ528)