https://huntr.dev/users/mufeedvh has fixed the Regular Expression Denial of Service (ReDoS) vulnerability 🔨. mufeedvh has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
GitHub Issue | #10
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/timespan.js/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-timespan.js

⚙️ Description *

No limitation in input size inside Regex makes it vulnerable to ReDoS (Regex Denial of Service) which can cause a slowdown (for 50,000 characters around 10 seconds matching time).

💻 Technical Description *

The Regex implementations used are vulnerable to ReDoS as they check for digits with no limits:

(\d+)

This can be fixed with limiting the digit matches of the Regex pattern.

🐛 Proof of Concept (PoC) *

The following regular expressions used for parsing the dates are vulnerable to ReDoS:

/(\d+)milli(?:second)?[s]?/i
/(\d+)second[s]?/i
...

The slowdown is relatively large when combining the slowdown produced by all the regex (for 50,000 characters around 10
seconds matching time).

Ref: #10

🔥 Proof of Fix (PoF) *

As the author of #10 (comment) suggests, I've implemented a digit limit for the Regex (MAX_SAFE_INTEGER).

(\d{1,16})

👍 User Acceptance Testing (UAT)

Changed the Regex pattern, no breaking changes have been introduced.