Skip to content

Potential catastrophic backtracking #10002

@davisjam

Description

@davisjam

One of the regexes in eslint is vulnerable to catastrophic backtracking.

@nzakas says this isn't a problem as used in eslint:

Oh yeah, that’s basically just used to insert data into placeholders for our error messages. So we can have a message like this:

“Expected {{count}} spaces.”

And be able to insert a value for “count” without doing string concatenation.

We did this in order to avoid pulling in a whole library like Mustache. Given that there are whole templating libraries on the server, I can’t imagine why someone would want to use this.

Perhaps a comment to warn future copy/pasters might be in order, however.

Here's a description of the problematic pattern and an attack string.

{
"pattern" : "\{\{\s*([^{}]+?)\s*\}\}",
"nPumpsFor10Sec" : "48325",
"filesIn" : [
[
"lib/util/interpolate.js"
]
],
"blowupCurve" : {
"r2" : 0.996141596724248,
"parms" : [
3.10391182858704e-08,
1.82075786106333
],
"type" : "POWER"
},
"attackFormat" : {
"suffix" : "{\t{",
"pumpPairs" : [
{
"pump" : "a",
"prefix" : "{{\t"
},
{
"pump" : "\t",
"prefix" : "a"
}
]
},
"stringLenFor10Sec" : 96657
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    acceptedThere is consensus among the team that this change meets the criteria for inclusionarchived due to ageThis issue has been archived; please open a new issue for any further discussionbugESLint is working incorrectlycoreRelates to ESLint's core APIs and features

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions