Описание
Inefficient Regular Expression Complexity in shescape
Impact
This impacts users that use shescape to escape arguments:
- for the Unix shell Bash, or any not-officially-supported Unix shell;
- using the
escapeorescapeAllfunctions with theinterpolationoption set totrue.
An attacker can cause polynomial backtracking in terms of the input string length due to a Regular Expression in shescape that is vulnerable to Regular Expression Denial of Service (ReDoS). Example:
Patches
This bug has been patched in v1.6.1 which you can upgrade to now. No further changes required.
Workarounds
Alternatively, a maximum length can be enforced on input strings to shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself.
References
For more information
- Comment on commit 552e8ea
- Open an issue at https://github.com/ericcornelissen/shescape/issues (New issue > Question > Get started)
Ссылки
- https://github.com/ericcornelissen/shescape/security/advisories/GHSA-cr84-xvw4-qx3c
- https://nvd.nist.gov/vuln/detail/CVE-2022-25918
- https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9
- https://github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52
- https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1
- https://security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108
Пакеты
shescape
>= 1.5.10, < 1.6.1
1.6.1
Связанные уязвимости
The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function.