Skip to content

Request manager re dos #9203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Request manager re dos #9203

wants to merge 6 commits into from
+22 −1

Conversation

mmmsssttt404
Copy link

Steps to reproduce
Hello,

I am writing to report a potential Regular Expression Denial of Service (ReDoS) vulnerability or Inefficient Regular Expression in the project. When using specially crafted input strings in the context, it may lead to extremely high CPU usage, application freezing, or denial of service attacks.

Location of Issue:

The vulnerability is related to a regular expression used in the following validation file, which may result in significantly prolonged execution times under certain conditions.

yarn/src/util/request-manager.js

Line 187 in 7cafa51

this.ca = bundle.split(/(-----BEGIN .*\r?\n[^-]+\r?\n--.*)/).filter(hasPemPrefix); 

1.git clone https://github.com/mmmsssttt404/yarn.git
2.yarn install
3.yarn test __tests__/util/request-manager.js

use time:
{008E24AF-9CEE-42F3-A5BE-FB2372FC17E1}
f307ba7bf4e492b32c4405618d60e57

Proposed Solution:
Change the regular expression to
https://github.com/mmmsssttt404/yarn/blob/f54fa0f0e0cdec16583b572dec679c9fbf9073a4/src/util/request-manager.js#L187
{F4163767-9749-4D94-B2BF-E8734A2D3424}

{D50FCAB5-A4B5-4C12-8219-5D7B31542E0F}

Thank you for your attention to this matter. Your evaluation and response to this potential security concern would be greatly appreciated.

Best regards,

Search keywords: ReDoS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mmmsssttt404