Do I need to worry about CWE-400 - Regexp DoS?

[camjackson]

Snyk is warning about code that looks something like:

import { match } from 'path-to-regexp';

const matchPath1 = match('/some/url/:slug+');
const matchPath2 = match('/some/other/url/:slug*');
const matchPath3 = match('third/[slug]')

const getMatches = (path: string) => {
  return [
    matchPath1(path),
    matchPath2(path),
    matchPath3(path),
  ]
}

, where path comes from the incoming request so it can be set by an attacker.

I can't not have the path be set by the user, so AFAICT my only option is to ensure that the regexp used to test the path is safe. Where "safe" means that it's not vulnerable to malicious input strings which try to make it do excessive backtracking etc.

Does this library guarantee that the regexps it creates and uses under the hood are not vulnerable to DoS? Are there certain strings I need to avoid when calling match and compile in order to ensure that the created regexps are safe?

[blakeembrey]

Hi @camjackson, I just published the security advisory related to ReDoS. It's been pending Express.js committing to patches for a couple of months which is why it's been a bit messy waiting: GHSA-9wv6-86v2-598j.

Does this library guarantee that the regexps it creates and uses under the hood are not vulnerable to DoS?

Unfortunately it's not guaranteed, except in v8. It's not possible to protect against every possible user input path right now without fully parsing user supplied regular expressions. As it's a little complex for me to write as an individual right now, I have opted to minimize supported features in v8 instead.

Are there certain strings I need to avoid when calling match and compile in order to ensure that the created regexps are safe?

If you aren't using v8, the advisory has more detail on what paths can cause the issue.

Note: Path in this case is "path-to-regexp" path, so the /some/url/:slug+, not the URL path to be matched. It's unclear, but that was the library name so I just rolled with it 🤷 I also published a post here with some more detail: https://blakeembrey.com/posts/2024-09-web-redos/

[camjackson]

Thanks @blakeembrey, the detail in the advisory was really helpful. Quoting it here for others:

The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b...

My path parameters are always separated by slashes so I don't think I'm vulnerable.