[VULNERABILITY] Parsing a long String will result in 100% CPU usage and String.test will never finish

[niftylettuce]

IMPORTANT UPDATE (8/15/20)

Per my comment below, I have released my own package, url-regex-safe, which resolves this issue, and all (solvable) existing issues and pull requests here in this GitHub repository. The new package has 100% test coverage and is available at https://github.com/niftylettuce/url-regex-safe. It has more sensible defaults as well.

---

Example:

> require('url-regex')({ strict: false }).test('018137.113.215.4074.138.129.172220.179.206.94180.213.144.175250.45.147.1364868726sgdm6nohQ')

The only way to exit out is to SIGINT.

[niftylettuce]

cc @sindresorhus

[niftylettuce]

I think the solution might be to use this https://github.com/uhop/node-re2/

[niftylettuce]

I've confirmed that using RE2 package resolves this issue.

You may want to incorporate or suggest in the docs @sindresorhus for get-urls?

[michelnev]

I second addressing this issue. I'm hitting this periodically.
I'll make my own version using RE2 for now.

[niftylettuce]

I think I should disclose this to snyk.io and GitHub. Disclosed to Snyk.io by their web form and email. Over 3M downloads of url-regex per month, this is a core vulnerability that can cause a Denial of Service attack.

[niftylettuce]

This was discovered per my research and development with https://forwardemail.net, https://github.com/spamscanner/spamscanner, and https://github.com/ladjs.

[ggkitsas]

Hi,
I am communicating on behalf of Snyk's Security Team. We have verified this vulnerability and reached out to try and discuss this issue further with the maintainers several times. As of now we have yet to get a response, and due to this vulnerability already being exposed publicly, we feel the responsible thing to do is to move to official disclosure.

We have internally assigned a CVE to this vulnerability and will be looking to publish it in our public database in the next 24 hours - if any of the maintainers wish to reach out to us and discuss or wish for us to wait - please do reach out either here or to our disclosure email [email protected], as we would be very happy to discuss with the maintainer team before publishing.

George,
Snyk Security Team

[arderyp]

@kevva @joakimbeng @sindresorhus @joostverdoorn @BendingBender

Thoughts?

[justinlazaro-iselect]

any update on this?

[arderyp]

unfortunately, I think the project is dead

[joostverdoorn]

I think PRs are welcome, but the project is no longer actively maintained

[niftylettuce]

This issue is fixed in my maintained and modern version of this package at https://github.com/niftylettuce/url-regex-safe. You should be able to switch from url-regex to url-regex-safe now. See the updated list of options as I added some new ones, and changed a few defaults to more sensible ones (since not everyone is parsing Markdown for instance).