[su_dropcap style=”simple”]I[/su_dropcap]magine you are trying to buy a ticket to your favorite JavaScript conference, and instead of getting the ticket page, you instead get 500 Internal Server Error. For some reason the site is down. You can’t do the thing that you want to do most and the conference is losing out on your purchase, all because the application is unavailable.
Availability is not often treated as a security problem, which it is, and it’s impacts are immediate, and deeply felt.
The attack surface for Node.js in regards to loss of availability is quite large, as we are dealing with a single event loop. If an attacker can control and block that event loop, then nothing else gets done.
There are many ways to block the event loop, one way an attacker can do that is with Regular Expression Denial of Service (ReDoS).
If user provided input finds it’s way into a regular expression, or a regular expression is designed with certain attributes, such as grouping with repetition, you can find yourself in a vulnerable position, as the regular expression match could take a long time to process. OWASP has a deeper explanation of why this occurs.
Let’s look at an vulnerable example. Below we are attempting the common task of validating an email address on the server.
validateEmailFormat: function( string ) {
var emailExpression = /^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$/;
return emailExpression.test( string );}
With the example above, we can use this test script to show how bad input can impact server responsiveness:
start = process.hrtime();
console.log(validateEmailFormat("baldwin@andyet.net"));
console.log(process.hrtime(start));
start = process.hrtime();
console.log(validateEmailFormat("jjjjjjjjjjjjjjjjjjjjjjjjjjjj@ccccccccccccccccccccccccccccc.5555555555555555555555555555555555555555{"));
console.log(process.hrtime(start));
start = process.hrtime();
console.log(validateEmailFormat("jjjjjjjjjjjjjjjjjjjjjjjjjjjj@ccccccccccccccccccccccccccccc.55555555555555555555555555555555555555555{"));
console.log(process.hrtime(start));
start = process.hrtime();
console.log(validateEmailFormat("jjjjjjjjjjjjjjjjjjjjjjjjjjjj@ccccccccccccccccccccccccccccc.555555555555555555555555555555555555555555555555555555{"));
console.log(process.hrtime(start));
Here are the results of running that script:
true [ 0, 9694442 ] <- Match on good data takes little time false [ 0, 49849962 ] <- Initial bad input baseline false [ 0, 55123953 ] <- Added 1 character to the input and you see minimal spike false [ 8, 487126563 ] <- Added 12 characters and you see it bumps up significantly
One way you can check regular expressions for badness in an automated way is by using a module from substack called safe-regex. It’s prone to false positives, however, it can be useful to point to potentially vulnerable regular expressions you would have otherwise missed in your code.
Here is a rule for eslint that you can use to test your JavaScript regular expressions:
var safe = require('safe-regex');
module.exports = function(context) {
"use strict";
return {
"Literal": function(node) {
var token = context.getTokens(node)[0],
nodeType = token.type,
nodeValue = token.value;
if (nodeType === "RegularExpression") {
if (!safe(nodeValue)) {
context.report(node, "Possible Unsafe Regular Expression");
}
}
}
};
};
Additionally, OWASP has a list of regular expressions for common validations that might be useful to you.
As part of our ongoing effort to increase the overall security of the Node.js ecosystem, we have conducted automated analysis of every module on npm. We did identify 56 unique vulnerable regular expressions and over 120 modules containing vulnerable regular expressions. Considering that there are now over 100k modules, the results were not alarming. We’re working closely with the maintainers of each module to get the issues resolved, once that’s done, advisories will be published to the Node Security Project.
buy generic viagra online viagra without a doctor prescription buy generic 100mg viagra online
no prescription viagra buy viagra online 100mg viagra
viagra doses 200 mg buy cheap sildenafil best over the counter viagra
cialis side effects buy tadalafil the cost of cialis
fda warning list cialis cheap cialis samples of cialis
viagra without a doctor prescription usa viagra for sale viagra over the counter
canadian pharmacy viagra viagra cvs viagra
natural ed remedies ed pills for sale herbal ed treatment
remedies for ed ed pills otc viagra without a prescription
canadian online pharmacy viagra cheap viagra over the counter viagra cvs
buy generic viagra buy viagra online viagra without prescription
viagra professional buy viagra buy viagra online usa
generic viagra walmart viagra canada viagra discount
price of viagra buy viagra buy viagra online cheap
cheapest viagra online cheap ed pills viagra over the counter usa 2020
viagra from canada buy viagra from canada online viagra
viagra from india canadian pharmacy viagra viagra prescription
viagra pill buy viagra online generic viagra without a doctor prescription
discount viagra generic viagra where to buy viagra
cat antibiotics without pet prescription generic ed pills ed meds pills drugs
ed cure ED Pills Without Doctor Prescription ed meds online without doctor prescription
ed pills that work quickly cheap ed pills men with ed
buy ed drugs cheap ed pills how to fix ed
erectile dysfunction treatment sildenafil without a doctor’s prescription herbal ed
best natural cure for ed ED Pills Without Doctor Prescription buy ed pills online
best ed treatment pills ED Pills viagra without a doctor prescription walmart
hard erections cialis cialis for sale generic cialis no doctor’s prescription
cialis headaches afterwards generic cialis cialis dosage
take cialis with or without food buy cialis online cialis discount card
does cialis lower your blood pressure tadalafil safe alternatives to viagra and cialis
buy ed drugs online canadian drugstore online what type of medicine is prescribed for allergies
natural ed treatments
cheap pills online best online canadian pharmacy canadian drug
ed cures that work
erectial dysfunction online prescription for ed meds cheap medication online
cause of ed
erectile dysfunction pills buy ed pills online shots for ed
homepage
viagra without a doctor prescription walmart canadian drug pharmacy over the counter ed medication
homepage
sexual dysfunction in men prescription drugs canadian pharmacy online
google viagra dosage recommendations
drugs for ed cheap medication online ed pharmacy
erectile dysfunction medication
https://amoxicillingeneric500.com/ amoxicillin 500mg
https://zantacgeneric150.com/ zantac recall
https://zantacgeneric150.com/ order zantac
https://ventolin100mcg.com/ where to buy ventolin nz
https://zantacgeneric150.com/ zantac recall
https://zantacgeneric150.com/ zantac coupon
https://doxycylinegeneric100.com/
https://valtrexgeneric500.com/ valtrex prescription online
https://zantacgeneric150.com/ zantac coupons
buy tadalafil tadalafil pharmacy
buy tadalafil online tadalafil canada
cheap tadalafil tadalafil online