inefficient regular expression

[phavekes]

This issue is imported from pivotal - Originaly created at Nov 6, 2023 by Peter Havekes

The RA application’s client-side areas operate with an inefficient
regular expression, which may ultimately lead to a client-side Denial-of-Service
(ReDoS). The general composition, in combination with the presence of non-greedy
quantifiers and multiple wildcards within the matchWord regular expression, was
deemed subpar due to backtracking, thus resulting in exponential complexity. This
renders the process vulnerable in the event a larger set of matched characters are
handled. As a consequence, the application could be forced into performing excessive
calculations, which will overload the running process.

Affected file:

Stepup-RA/src/Surfnet/StepupRa/RaBundle/Resources/public/js/moment/src/lib/parse/
regex.js

Affected code:

export var matchWord = /[0-9]['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF
uFDF0-\uFFEF]+|[\u0600-\u06FF/]+(\s?[\u0600-\u06FF]+){1,2}/i;

Solution

Limit the length of the matching strings