Javascript 什么是「;RegExp DoS问题;?
我刚刚在服务器上安装了nodejs,一个基本的Javascript 什么是「;RegExp DoS问题;?,javascript,node.js,npm,minimatch,Javascript,Node.js,Npm,Minimatch,我刚刚在服务器上安装了nodejs,一个基本的npm安装显示了很多这样的消息: $ npm install npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avo
npm安装
显示了很多这样的消息:
$ npm install
npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated graceful-fs@1.2.3: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful-fs@^4.0.0 as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.
npm WARN deprecated graceful-fs@2.0.3: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful-fs@^4.0.0 as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.
npm WARN prefer global node-gyp@3.4.0 should be installed with -g
var exploit = '!(' + genstr(1024 * 15, '\\') + 'A)'
请注意右侧出现的消息:
npm WARN ... or higher to avoid a RegExp DoS issue
^^^^^^^^^^^^^^^^^^^^^^^^^^^
在我的本地服务器上,我已经在使用minimatch 3.0.3。但是,由于服务器未使用最新版本的node,这对我来说是新的,并开始调查:
这一问题正在报告中,并在其他问题中提到。一般来说,可以通过将minimatch
的版本升级到至少3.0.2来解决此问题
但是,我想知道这个RegExp-DoS问题是什么?是否有任何特定的正则表达式允许通过minimatch进行DoS攻击?我无法想象这是怎么发生的,也不想复制它,但我找不到更多的文档,也没有它的任何痕迹
从我看到的,其中基本上封装了regex语法(我对JavaScript还不太熟悉,无法完全理解最后一个小细节)。从commit your link to(): 提交中添加的测试正在生成如下正则表达式:
$ npm install
npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated graceful-fs@1.2.3: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful-fs@^4.0.0 as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.
npm WARN deprecated graceful-fs@2.0.3: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful-fs@^4.0.0 as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.
npm WARN prefer global node-gyp@3.4.0 should be installed with -g
var exploit = '!(' + genstr(1024 * 15, '\\') + 'A)'
这正在创建一个以开头的字符串!(“
,然后是1024*15份\
,然后是'A)
。这一定是DoS条件
这条线
tail = tail.replace(/((?:\\{2}){0,64})(\\?)\|/g, function (_, $1, $2) {
可能是窒息的原因。以下是OWASP的摘录: 正则表达式拒绝服务(ReDoS)是一种拒绝服务攻击,它利用了一个事实,即大多数正则表达式实现可能达到极端情况,导致它们工作非常缓慢(与输入大小成指数关系)。然后,攻击者可以使使用正则表达式的程序进入这些极端情况,然后挂起很长时间
完整来源:该问题已记录在案。非常好!这与评论中提到的robertklep中的解释相符。