A ReDoS vulnerability exists in grammar.js

[xywang18]

The affected code is located in grammar.js-line191. It uses the vulnerable regular expression '(\\.|[^'\\])*'. When the match fails, it will cause catastrophic backtracking.
I generate PoC using the python script below

f = open("test.LR0", "w")
f.write("\u0000\\\u0000\\'" * 40000)
f.flush()

then run ./syntax --grammar test.LR0

[DmitrySoshnikov]

Thanks for the report - what's the impact here? Would be great to fix it - and will appreciate a PR for this.

[xywang18]

Thanks for the report - what's the impact here? Would be great to fix it - and will appreciate a PR for this.

Thanks for your reply!
The impact here is that, if the user provides the grammar file generated by the python script above, the regex engine will exhaust computing resources and the application will be slow to respond, causing denial-of-service attack.
You can read the report related to ReDoS to learn more about it.

[xywang18]

I have submitted a PR, could you take a look?

[DmitrySoshnikov]

Hi @d1tto, thanks for the PR - do we have an existing test for this (or need to add a new one)?