uBlock Origin - An efficient blocker for Chromium and Firefox. Fast and lean.
Find a file
Raymond Hill eaedaf5b10
Fix regexes with potential catastrophic backtracking
The quoted email below was sent to ubo-security at raymondhill dot net:

=====
Dear Raymond,

I am writing to report a potential Regular Expression Denial of Service (ReDoS)
vulnerability in the 1p-filters.js script of uBlock Origin. The vulnerability
occurs due to the use of the regular expression /\s+$/, which is used to remove
trailing whitespace. This issue can lead to a denial of service when processing
strings with a large number of trailing spaces, potentially causing a browser to
freeze.

Affected file(s)

    js/1p-filters.js

Vulnerable pattern(s)

    Lines 131 and 167: /\s+$/

Description of the issue

The regular expression /\s+$/ is applied to remove trailing whitespace in user‑
provided content. However, when the content has a large number of spaces
(e.g., ~100,000), this pattern causes excessive backtracking in the regular
expression engine, resulting in performance degradation and UI freezing. This is
a classic ReDoS attack vector.

Steps to reproduce

1. Open the uBlock Origin dashboard and navigate to the My filters tab.
2. Run the following code in the browser's DevTools Console or as a bookmarklet.
3. Observe the UI freezing for several seconds or even longer, depending on the
   number of spaces used.

PoC (Proof of Concept)

/**
 * poc.js — triggers ReDoS in 1p-filters.js
 * Expected: <1 ms; Actual: several seconds – UI freeze
 */
(() => {
  const payload = " ".repeat(100000) + "!";  // 100,000 spaces + sentinel
  const run = () => {
    if (!window.cmEditor) {
      console.error("cmEditor not ready");
      return;
    }
    // Inject payload into the editor
    cmEditor.setValue(payload);

    console.time("ReDoS");
    // Call the vulnerable function (mirroring getEditorText)
    cmEditor.getValue().replace(/\s+$/, '');
    // Alternatively, simulate a realistic user flow:
    // document.querySelector('#userFiltersApply').click();
    console.timeEnd("ReDoS");
  };

  if (document.readyState === "complete") {
    run();
  } else {
    window.addEventListener("load", run, { once: true });
  }
})();

Impact

This issue can significantly degrade the user experience, causing the page to
become unresponsive. If an attacker can inject this malicious string into the
page (for example, through XSS or other attacks), it could lead to a denial of
service (DoS). This vulnerability can be triggered repeatedly, causing the
browser to hang indefinitely.

Suggested fix

The issue can be mitigated by replacing /\s+$/ with a more efficient solution,
such as a look‑behind assertion /(?<=\S)\s+$/ (available in modern browsers)
which ensures no backtracking occurs, or using trimEnd() for legacy support:

// Example of using look-behind:
cmEditor.setValue(text.replace(/(?<=\S)\s+$/, '') + '\n\n');

// Alternatively, using trimEnd():
cmEditor.setValue(text.trimEnd() + '\n\n');

Additional information

If required, I am happy to assist in testing or provide more information.
Please feel free to contact me for further clarification.

Best regards,
[redacted]
=====
2025-04-15 12:47:02 -04:00
.github Fix workflow and makefile 2025-01-10 11:08:54 -05:00
assets [mv3] Ensure POL-3 list is separate from POL-0 list in uBOL 2025-04-14 09:07:46 -04:00
dist Make Firefox dev build auto-update 2025-04-13 07:45:55 -04:00
docs Fix typos in README, docs, and JS comments 2022-03-13 08:56:26 -04:00
platform [mv3] Fix Github Actions 2025-04-13 15:45:39 -04:00
src Fix regexes with potential catastrophic backtracking 2025-04-15 12:47:02 -04:00
tools Add path support as target option in static extended filtering 2025-04-08 11:20:27 -04:00
.gitignore Update .gitignore 2025-01-04 20:41:28 -05:00
CHANGELOG.md Update changelog 2025-04-13 07:38:19 -04:00
CONTRIBUTING.md Update contributing guide 2024-11-01 16:33:22 -04:00
eslint.config.mjs Better integrate latest eslint version 2025-01-10 10:25:15 -05:00
LICENSE.txt first commit 2014-06-23 18:42:43 -04:00
Makefile Rebuild MV3 extension if mv3-data content changes 2025-03-10 09:24:26 -04:00
MANIFESTO.md Update MANIFESTO.md (#3888) 2023-04-15 15:42:12 -04:00
package-lock.json Better integrate latest eslint version 2025-01-10 10:25:15 -05:00
package.json Fix "make lint" command; fix more lint errors 2025-01-19 09:35:51 -05:00
README.md Update links in readme 2024-11-01 16:33:23 -04:00
RELEASE.HEAD.md Re-wording 2025-03-02 12:27:45 -05:00
REMOVED.md Added data about old popup panel 2022-11-08 16:53:04 -05:00

Badge Commits Badge Issues Badge Localization Badge License Badge NPM Badge Mozilla Badge Chrome Badge Edge


uBlock Origin (uBO)

BEWARE! uBO is (and has always been) COMPLETELY UNRELATED to the website ublock.org.


Get uBlock Origin for Firefox Get uBlock Origin for Microsoft Edge Get uBlock Origin for Opera Get uBlock Origin for Thunderbird


Get uBlock Origin for Chromium
IMPORTANT: About Google Chrome's "This extension may soon no longer be supported"


uBlock Origin (uBO) is a CPU and memory-efficient wide-spectrum content blocker for Chromium and Firefox. It blocks ads, trackers, coin miners, popups, annoying anti-blockers, malware sites, etc., by default using EasyList, EasyPrivacy, Peter Lowe's Blocklist, Online Malicious URL Blocklist, and uBO filter lists. There are many other lists available to block even more. Hosts files are also supported. uBO uses the EasyList filter syntax and extends the syntax to work with custom rules and filters.

You may easily unselect any preselected filter lists if you think uBO blocks too much. For reference, Adblock Plus installs with only EasyList, ABP filters, and Acceptable Ads enabled by default.

It is important to note that using a blocker is NOT theft. Do not fall for this creepy idea. The ultimate logical consequence of blocking = theft is the criminalization of the inalienable right to privacy.

Ads, "unintrusive" or not, are just the visible portion of the privacy-invading means entering your browser when you visit most sites. uBO's primary goal is to help users neutralize these privacy-invading methods in a way that welcomes those users who do not wish to use more technical means.


Documentation

Basic Mode Advanced Mode
The simple popup user interface for an install-it-and-forget-it type of installation that is configured optimally by default. The advanced popup user interface includes a point-and-click firewall that is configurable on a per-site basis.

Visit the Wiki for documentation.

For support, questions, or help, visit /r/uBlockOrigin.

Installation

Required Permissions

Firefox

Firefox Add-ons

Development Builds

uBO works best on Firefox and is available for desktop and Android versions.

Thunderbird

Thunderbird Add-ons

In Thunderbird, uBlock Origin does not affect emails, just feeds.

Chromium

Chrome Web Store

Microsoft Edge Add-ons (Published by: Nicole Rolls)

Opera Add-ons

Development Builds

uBO should be compatible with any Chromium-based browser.

All Programs

Do NOT use uBO with any other content blocker. uBO performs as well as or better than most popular blockers. Other blockers can prevent uBO's privacy or anti-blocker-defusing features from working correctly.

Manual Installation

Enterprise Deployment

Deploying uBO

Release History

Releases Page

Translations

Help translate uBO via Crowdin.

About

Manifesto

Privacy Policy

GPLv3 License

Free. Open-source. For users by users. No donations sought.

If you ever want to contribute something, think about the people working hard to maintain the filter lists you are using, which are available to use by all for free.