Vulnerable Regular Expressions

[cristianstaicu]

The following regular expressions used for parsing the dates are vulnerable to ReDoS:

/(\d+)milli(?:second)?[s]?/i
/(\d+)second[s]?/i
...

The slowdown is relatively large when combining the slowdown produced by all the regexs (for 50,000 characters around 10 seconds matching time). I would suggest one of the following:

• remove the regex,
• anchor the regex,
• limit the number of characters that can be matched by the repetition,
• limit the input size.

If needed, I can provide an actual example showing the slowdown.

[reaktivo]

Bump

[marin-liovic]

Anybody working on this issue? Could you @cristianstaicu create a PR with the fix?

[bennycode]

This issue got reported to me through the Node Security Platform: https://nodesecurity.io/advisories/533