[Pkg-javascript-devel] Bug#927716: CVE-2018-1109

[Xavier]

Le 25/04/2019 à 13:41, Xavier a écrit :
> Control: tags -1 + moreinfo
> 
> Le 22/04/2019 à 07:38, Xavier a écrit :
>> Le 21/04/2019 à 22:33, Moritz Muehlenhoff a écrit :
>>> Package: node-braces
>>> Severity: important
>>> Tags: security
>>>
>>> Please see https://snyk.io/vuln/npm:braces:20180219
>>>
>>> Patch:
>>> https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451
>>>
>>> Cheers,
>>>         Moritz
>>
>> Buster version (2.0.2) seems not easily to patch.
> 
> It seems that the vulnerable regexp doesn't exist in node-braces 2.0.2.
> I can't find any exploit to verify this. Could someone help here ?

Hello,

The regex that causes CVE-2018-1109 was introduced in upstream version
2.2.0, commit dcc1acab [1]. So Buster node-braces seems not concerned by
this CVE.

https://snyk.io/vuln/npm:braces:20180219 extract :

> braces is a Bash-like brace expansion, implemented in JavaScript.
>
> Affected versions of this package are vulnerable to Regular Expression
> Denial of Service (ReDoS) attacks. It used a regular expression
> (^\{(,+(?:(\{,+\})*),*|,*(?:(\{,+\})*),+)\}) in order to detects empty
> braces. This can cause an impact of about 10 seconds matching time for
> data 50K characters long.

Commit dcc1acab [1]:

  ...lib/parser.js
  +    /**
  +     * Empty braces (we capture these early to
  +     * speed up processing in the compiler)
  +     */
  +
  +    .set('multiplier', function() {
  +      var pos = this.position();
  +      var m = this.match(/^\{(,+(?:(\{,+\})*),*|,*(?:(\{,+\})*),+)\}/);
  +      if (!m) return;
  +
  +      this.multiplier = true;
  +      var prev = this.prev();
  +      var node = pos(new Node({
  +        type: 'text',
  +        multiplier: 1,
  +        match: m,
  +        val: m[0]
  +      }));
  +
  +      return concatNodes.call(this, pos, node, prev, options);
  ...

and the fix is [2]:

  ...lib/parsers.js
  @@ -127,7 +127,7 @@ module.exports = function(braces, options) {
     .set('multiplier', function() {
       var isInside = this.isInside('brace');
       var pos = this.position();
  -    var m = this.match(/^\{(,+(?:(\{,+\})*),*|,*(?:(\{,+\})*),+)\}/);
  +    var m = this.match(/^\{((?:,|\{,+\})+)\}/);
       if (!m) return;

      this.multiplier = true;

No regexp in 2.0.2 contains such expression.

Time to close this issue ?

Cheers,
Xavier

[1]:
https://github.com/micromatch/braces/commit/dcc1acab4de9a43e86ab4be4acde209ff1dca113
[2]:
https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451