Skip to content

Security: Fix polynomial ReDoS vulnerability (CodeQL #1) #27

New issue
New issue
Open
Open
Security: Fix polynomial ReDoS vulnerability (CodeQL #1)#27
@jmaddington

Description

@jmaddington
jmaddington
opened on Mar 31, 2025

Description

A vulnerable regular expression has been detected that could lead to Denial of Service (DoS) through Regular Expression Denial of Service (ReDoS).

Location

  • File: lib/google_image_charts.js
  • Line: 665

Issue

The application uses a regular expression that may take exponential time to process certain inputs. According to the CodeQL analysis, the regex may run extremely slow on strings starting with '9N' and with many repetitions of '))', potentially allowing an attacker to cause a denial of service.

Recommendation

To fix this issue:

  1. Rewrite the regular expression to avoid ambiguity
  2. Limit the length of input strings that can be processed by the regex
  3. Use non-backtracking regex engines if possible
  4. Add timeouts to regex operations

References

  • CWE-1333: Inefficient Regular Expression Complexity
  • CWE-400: Uncontrolled Resource Consumption
  • OWASP Regular expression Denial of Service - ReDoS

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions