uBlock/src/js/arglist-parser.js
Raymond Hill eaedaf5b10
Fix regexes with potential catastrophic backtracking
The quoted email below was sent to ubo-security at raymondhill dot net:

=====
Dear Raymond,

I am writing to report a potential Regular Expression Denial of Service (ReDoS)
vulnerability in the 1p-filters.js script of uBlock Origin. The vulnerability
occurs due to the use of the regular expression /\s+$/, which is used to remove
trailing whitespace. This issue can lead to a denial of service when processing
strings with a large number of trailing spaces, potentially causing a browser to
freeze.

Affected file(s)

    js/1p-filters.js

Vulnerable pattern(s)

    Lines 131 and 167: /\s+$/

Description of the issue

The regular expression /\s+$/ is applied to remove trailing whitespace in user‑
provided content. However, when the content has a large number of spaces
(e.g., ~100,000), this pattern causes excessive backtracking in the regular
expression engine, resulting in performance degradation and UI freezing. This is
a classic ReDoS attack vector.

Steps to reproduce

1. Open the uBlock Origin dashboard and navigate to the My filters tab.
2. Run the following code in the browser's DevTools Console or as a bookmarklet.
3. Observe the UI freezing for several seconds or even longer, depending on the
   number of spaces used.

PoC (Proof of Concept)

/**
 * poc.js — triggers ReDoS in 1p-filters.js
 * Expected: <1 ms; Actual: several seconds – UI freeze
 */
(() => {
  const payload = " ".repeat(100000) + "!";  // 100,000 spaces + sentinel
  const run = () => {
    if (!window.cmEditor) {
      console.error("cmEditor not ready");
      return;
    }
    // Inject payload into the editor
    cmEditor.setValue(payload);

    console.time("ReDoS");
    // Call the vulnerable function (mirroring getEditorText)
    cmEditor.getValue().replace(/\s+$/, '');
    // Alternatively, simulate a realistic user flow:
    // document.querySelector('#userFiltersApply').click();
    console.timeEnd("ReDoS");
  };

  if (document.readyState === "complete") {
    run();
  } else {
    window.addEventListener("load", run, { once: true });
  }
})();

Impact

This issue can significantly degrade the user experience, causing the page to
become unresponsive. If an attacker can inject this malicious string into the
page (for example, through XSS or other attacks), it could lead to a denial of
service (DoS). This vulnerability can be triggered repeatedly, causing the
browser to hang indefinitely.

Suggested fix

The issue can be mitigated by replacing /\s+$/ with a more efficient solution,
such as a look‑behind assertion /(?<=\S)\s+$/ (available in modern browsers)
which ensures no backtracking occurs, or using trimEnd() for legacy support:

// Example of using look-behind:
cmEditor.setValue(text.replace(/(?<=\S)\s+$/, '') + '\n\n');

// Alternatively, using trimEnd():
cmEditor.setValue(text.trimEnd() + '\n\n');

Additional information

If required, I am happy to assist in testing or provide more information.
Please feel free to contact me for further clarification.

Best regards,
[redacted]
=====
2025-04-15 12:47:02 -04:00

116 lines
4.7 KiB
JavaScript

/*******************************************************************************
uBlock Origin - a comprehensive, efficient content blocker
Copyright (C) 2020-present Raymond Hill
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see {http://www.gnu.org/licenses/}.
Home: https://github.com/gorhill/uBlock
*/
/******************************************************************************/
export class ArglistParser {
constructor(separatorChar = ',', mustQuote = false) {
this.separatorChar = this.actualSeparatorChar = separatorChar;
this.separatorCode = this.actualSeparatorCode = separatorChar.charCodeAt(0);
this.mustQuote = mustQuote;
this.quoteBeg = 0; this.quoteEnd = 0;
this.argBeg = 0; this.argEnd = 0;
this.separatorBeg = 0; this.separatorEnd = 0;
this.transform = false;
this.failed = false;
this.reWhitespaceStart = /^\s+/;
this.reWhitespaceEnd = /(?:^|\S)(\s+)$/;
this.reOddTrailingEscape = /(?:^|[^\\])(?:\\\\)*\\$/;
this.reTrailingEscapeChars = /\\+$/;
}
nextArg(pattern, beg = 0) {
const len = pattern.length;
this.quoteBeg = beg + this.leftWhitespaceCount(pattern.slice(beg));
this.failed = false;
const qc = pattern.charCodeAt(this.quoteBeg);
if ( qc === 0x22 /* " */ || qc === 0x27 /* ' */ || qc === 0x60 /* ` */ ) {
this.indexOfNextArgSeparator(pattern, qc);
if ( this.argEnd !== len ) {
this.quoteEnd = this.argEnd + 1;
this.separatorBeg = this.separatorEnd = this.quoteEnd;
this.separatorEnd += this.leftWhitespaceCount(pattern.slice(this.quoteEnd));
if ( this.separatorEnd === len ) { return this; }
if ( pattern.charCodeAt(this.separatorEnd) === this.separatorCode ) {
this.separatorEnd += 1;
return this;
}
}
}
this.indexOfNextArgSeparator(pattern, this.separatorCode);
this.separatorBeg = this.separatorEnd = this.argEnd;
if ( this.separatorBeg < len ) {
this.separatorEnd += 1;
}
this.argEnd -= this.rightWhitespaceCount(pattern.slice(0, this.separatorBeg));
this.quoteEnd = this.argEnd;
if ( this.mustQuote ) {
this.failed = true;
}
return this;
}
normalizeArg(s, char = '') {
if ( char === '' ) { char = this.actualSeparatorChar; }
let out = '';
let pos = 0;
while ( (pos = s.lastIndexOf(char)) !== -1 ) {
out = s.slice(pos) + out;
s = s.slice(0, pos);
const match = this.reTrailingEscapeChars.exec(s);
if ( match === null ) { continue; }
const tail = (match[0].length & 1) !== 0
? match[0].slice(0, -1)
: match[0];
out = tail + out;
s = s.slice(0, -match[0].length);
}
if ( out === '' ) { return s; }
return s + out;
}
leftWhitespaceCount(s) {
const match = this.reWhitespaceStart.exec(s);
return match === null ? 0 : match[0].length;
}
rightWhitespaceCount(s) {
const match = this.reWhitespaceEnd.exec(s);
return match === null ? 0 : match[1].length;
}
indexOfNextArgSeparator(pattern, separatorCode) {
this.argBeg = this.argEnd = separatorCode !== this.separatorCode
? this.quoteBeg + 1
: this.quoteBeg;
this.transform = false;
if ( separatorCode !== this.actualSeparatorCode ) {
this.actualSeparatorCode = separatorCode;
this.actualSeparatorChar = String.fromCharCode(separatorCode);
}
while ( this.argEnd < pattern.length ) {
const pos = pattern.indexOf(this.actualSeparatorChar, this.argEnd);
if ( pos === -1 ) {
return (this.argEnd = pattern.length);
}
if ( this.reOddTrailingEscape.test(pattern.slice(0, pos)) === false ) {
return (this.argEnd = pos);
}
this.transform = true;
this.argEnd = pos + 1;
}
}
}