1959687 - Possible ReDoS from rawRecipe.pathRegex

Status: REOPENED

(Toolkit :: Password Manager, defect)

Description

[RuslanSemchenko]

Attachment: code.txt

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36

Steps to reproduce:

In file toolkit/components/passwordmgr/LoginRecipes.sys.mjs
section where rawRecipe.pathRegex is processed and used to create a new RegExp object without any validation.
Input a regular expression pattern with catastrophic backtracking behavior (a+)+).

Actual results:

The program dynamically creates a RegExp object from an unsanitized input, which may lead to excessive computational complexity if the regular expression contains patterns prone to ReDoS (e.g., nested quantifiers).

If a malicious user or external source provides a specially crafted regular expression, the application can experience a significant delay or crash, resulting in a denial of service (DoS) condition.

Expected results:

The code should validate the regular expression pattern before using it to ensure it does not contain unsafe or complex patterns prone to ReDoS attacks.

The code does not properly sanitize or validate regular expression patterns before creating a RegExp object.

Comment 1

[Andrew McCreight [:mccr8]]

It looks like the values of rawRecipe.pathRegex are hard coded, so there shouldn't be a problem in practice.

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

The Bugbug bot thinks this bug is invalid.
If you think the bot is wrong, please reopen the bug and move it back to its prior component.
If your bug description is written in a non-English language, please use Google Translate or a similar service to translate it.

Please note that this is a production bug database used by the Mozilla community to develop Firefox, Thunderbird and other products.
Filing test bugs here will waste the time of our contributors, volunteers and employees.
Accounts that abuse bugzilla.mozilla.org will be disabled.