-
-
Notifications
You must be signed in to change notification settings - Fork 4.8k
Closed
Labels
acceptedThere is consensus among the team that this change meets the criteria for inclusionThere is consensus among the team that this change meets the criteria for inclusionarchived due to ageThis issue has been archived; please open a new issue for any further discussionThis issue has been archived; please open a new issue for any further discussionbugESLint is working incorrectlyESLint is working incorrectlycoreRelates to ESLint's core APIs and featuresRelates to ESLint's core APIs and features
Description
One of the regexes in eslint is vulnerable to catastrophic backtracking.
@nzakas says this isn't a problem as used in eslint:
Oh yeah, that’s basically just used to insert data into placeholders for our error messages. So we can have a message like this:
“Expected {{count}} spaces.”
And be able to insert a value for “count” without doing string concatenation.
We did this in order to avoid pulling in a whole library like Mustache. Given that there are whole templating libraries on the server, I can’t imagine why someone would want to use this.
Perhaps a comment to warn future copy/pasters might be in order, however.
Here's a description of the problematic pattern and an attack string.
{
"pattern" : "\{\{\s*([^{}]+?)\s*\}\}",
"nPumpsFor10Sec" : "48325",
"filesIn" : [
[
"lib/util/interpolate.js"
]
],
"blowupCurve" : {
"r2" : 0.996141596724248,
"parms" : [
3.10391182858704e-08,
1.82075786106333
],
"type" : "POWER"
},
"attackFormat" : {
"suffix" : "{\t{",
"pumpPairs" : [
{
"pump" : "a",
"prefix" : "{{\t"
},
{
"pump" : "\t",
"prefix" : "a"
}
]
},
"stringLenFor10Sec" : 96657
}
Metadata
Metadata
Assignees
Labels
acceptedThere is consensus among the team that this change meets the criteria for inclusionThere is consensus among the team that this change meets the criteria for inclusionarchived due to ageThis issue has been archived; please open a new issue for any further discussionThis issue has been archived; please open a new issue for any further discussionbugESLint is working incorrectlyESLint is working incorrectlycoreRelates to ESLint's core APIs and featuresRelates to ESLint's core APIs and features