Impact
t.String({ format: 'url' }) is vulnerable to redos
Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly
Here's a table demonstrating how long it takes to process repeated partial url format
n repeat |
elapsed_ms |
| 1024 |
33.993 |
| 2048 |
134.357 |
| 4096 |
537.608 |
| 8192 |
2155.842 |
| 16384 |
8618.457 |
| 32768 |
34604.139 |
Patches
Patched by 1.4.26, please kindly update elysia to >= 1.4.26
Here's how long it takes after the patch
n repeat |
elapsed_ms |
| 1024 |
0.194 |
| 2048 |
0.274 |
| 4096 |
0.455 |
| 8192 |
0.831 |
| 16384 |
1.632 |
| 32768 |
3.052 |
Workarounds
- It's recommended to always limit URL format to a reasonable length
t.String({
format: 'url',
maxLength: 288
})
- If a long URL format is necessary, to patch this without updating to 1.4.26, add the following code to any part of your codebase
import { FormatRegistry } from '@sinclair/typebox'
FormatRegistry.Delete('url')
FormatRegistry.Set('url', (value) =>
/^(?:https?|ftp):\/\/(?:[^\s:@]+(?::[^\s@]*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)(?:\.(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu.test(
value
)
)References
https://github.com/EdamAme-x/elysia-poc-redos
Impact
t.String({ format: 'url' })is vulnerable to redosRepeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly
Here's a table demonstrating how long it takes to process repeated partial url format
nrepeatPatches
Patched by 1.4.26, please kindly update
elysiato >= 1.4.26Here's how long it takes after the patch
nrepeatWorkarounds
References
https://github.com/EdamAme-x/elysia-poc-redos