Asymmetric denial of service - ReDoS In shescape
Description
Inefficient Regular Expression Complexity in shescape
Impact
This impacts users that use shescape to escape arguments:
for the Unix shell Bash, or any not-officially-supported Unix shell;
using the escape or escapeAll functions with the interpolation option set to true.
An attacker can cause polynomial backtracking in terms of the input string length due to a Regular Expression in shescape that is vulnerable to Regular Expression Denial of Service (ReDoS). Example:
import * as shescape from "shescape"; /* 1. Prerequisites */ const options = { interpolation: true, // and shell: "/bin/bash", // or...
Patches
This bug has been patched in v1.6.1 which you can upgrade to now. No further changes required.
Workarounds
Alternatively, a maximum length can be enforced on input strings to shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself.
References
For more information
Comment on commit 552e8ea
Open an issue at https://github.com/ericcornelissen/shescape/issues (New issue > Question > Get started)
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 npm | 1.6.1 |
Aliases
References