Merge pull request from GHSA-wqxw-8h5g-hq56

Fixes CVE-2023-23925 - Added TimedMatch for safe REGEX execution

Author: petruki

README.md

@@ -72,11 +72,13 @@ Switcher.buildContext({ url, apiKey, domain, component, environment }, {
 let switcher = Switcher.factory();
 ```
 
-- **offline**: If activated, the client will only fetch the configuration inside your snapshot file. The default value is 'false'.
+- **offline**: If activated, the client will only fetch the configuration inside your snapshot file. The default value is 'false'
 - **logger**: If activated, it is possible to retrieve the last results from a given Switcher key using Switcher.getLogger('KEY')
-- **snapshotLocation**: Location of snapshot files. The default value is './snapshot/'.
-- **silentMode**: If activated, all connectivity issues will be ignored and the client will automatically fetch the configuration into your snapshot file.
-- **retryAfter** : Time given to the module to re-establish connectivity with the API - e.g. 5s (s: seconds - m: minutes - h: hours).
+- **snapshotLocation**: Location of snapshot files. The default value is './snapshot/'
+- **silentMode**: If activated, all connectivity issues will be ignored and the client will automatically fetch the configuration into your snapshot file
+- **retryAfter**: Time given to the module to re-establish connectivity with the API - e.g. 5s (s: seconds - m: minutes - h: hours)
+- **regexMaxBlackList**: Number of entries cached when REGEX Strategy fails to perform (reDOS safe) - default: 50
+- **regexMaxTimeLimit**: Time limit (ms) used by REGEX workers (reDOS safe) - default - 3000ms
 
 ## Executing
 There are a few different ways to call the API using the JavaScript module.

snapshot/default.json

@@ -74,6 +74,22 @@
                                 }
                             ],
                             "components": []
+                        },
+                        {
+                            "key": "FF2FOR2024",
+                            "description": "reDOS safe test",
+                            "activated": true,
+                            "strategies": [
+                                {
+                                    "strategy": "REGEX_VALIDATION",
+                                    "activated": true,
+                                    "operation": "EXIST",
+                                    "values": [
+                                        "^(([a-z])+.)+[A-Z]([a-z])+$"
+                                    ]
+                                }
+                            ],
+                            "components": []
                         }
                     ]
                 },

sonar-project.properties

@@ -10,7 +10,7 @@ sonar.javascript.lcov.reportPaths=coverage/lcov.info
 sonar.sources=src
 sonar.tests=test
 sonar.language=js
-sonar.exclusions=src/**/*.d.ts
+sonar.exclusions=src/**/*.d.ts, src/lib/utils/timed-match/match-proc.js
 
 sonar.dynamicAnalysis=reuseReports
 # Encoding of the source code. Default is default system encoding

src/index.d.ts

@@ -140,6 +140,8 @@ declare namespace SwitcherClient {
     snapshotLocation: string;
     silentMode: boolean;
     retryAfter: string;
+    regexMaxBlackList: number;
+    regexMaxTimeLimit: number;
   }
 
   /**

src/index.js

@@ -2,6 +2,7 @@
 
 const Bypasser = require('./lib/bypasser');
 const ExecutionLogger = require('./lib/utils/executionLogger');
+const TimedMatch = require('./lib/utils/timed-match');
 const DateMoment = require('./lib/utils/datemoment');
 const { loadDomain, validateSnapshot, checkSwitchers } = require('./lib/snapshot');
 const services = require('./lib/remote');
@@ -74,6 +75,8 @@ class Switcher {
         this.options.retryTime = DEFAULT_RETRY_TIME.charAt(0);
         this.options.retryDurationIn = DEFAULT_RETRY_TIME.charAt(1);
       }
+
+      this.#initTimedMatch(options);
     }
   }
 
@@ -86,7 +89,7 @@ class Switcher {
       return false;
 
     if (!Switcher.context.exp || Date.now() > (Switcher.context.exp*1000))
-      await Switcher._auth();
+      await Switcher.#auth();
 
     const result = await validateSnapshot(
       Switcher.context, 
@@ -141,19 +144,30 @@ class Switcher {
     if (Switcher.options.offline) {
       checkSwitchers(Switcher.snapshot, switcherKeys);
     } else {
-      await Switcher._auth();
+      await Switcher.#auth();
       await services.checkSwitchers(
         Switcher.context.url, Switcher.context.token, switcherKeys);
     }
   }
 
-  static async _auth() {
+  static #initTimedMatch(options) {
+    if ('regexMaxBlackList' in options) {
+      TimedMatch.setMaxBlackListed(options.regexMaxBlackList);
+    }
+
+    if ('regexMaxTimeLimit' in options) {
+      TimedMatch.setMaxTimeLimit(options.regexMaxTimeLimit);
+    }
+  }
+
+
+  static async #auth() {
     const response = await services.auth(Switcher.context);
     Switcher.context.token = response.token;
     Switcher.context.exp = response.exp;
   }
 
-  static async _checkHealth() {
+  static async #checkHealth() {
     // checks if silent mode is still activated
     if (Switcher.context.token === 'SILENT') {
       if (!Switcher.context.exp || Date.now() < (Switcher.context.exp*1000)) {
@@ -210,7 +224,7 @@ class Switcher {
     if (input) { this._input = input; }
 
     if (!Switcher.options.offline) {
-      await Switcher._auth();
+      await Switcher.#auth();
     }
   }
 
@@ -233,7 +247,7 @@ class Switcher {
       errors.push('Missing key field');
     }
 
-    await this._executeApiValidation();
+    await this.#executeApiValidation();
     if (!Switcher.context.token) {
       errors.push('Missing token field');
     }
@@ -245,7 +259,7 @@ class Switcher {
 
   async isItOn(key, input, showReason = false) {
     let result;
-    this._validateArgs(key, input);
+    this.#validateArgs(key, input);
 
     // verify if query from Bypasser
     const bypassKey = Bypasser.searchBypassed(this._key);
@@ -255,13 +269,13 @@ class Switcher {
 
     // verify if query from snapshot
     if (Switcher.options.offline) {
-      result = this._executeOfflineCriteria();
+      result = await this.#executeOfflineCriteria();
     } else {
       await this.validate();
       if (Switcher.context.token === 'SILENT')
-        result = this._executeOfflineCriteria();
+        result = await this.#executeOfflineCriteria();
       else
-        result = await this._executeOnlineCriteria(showReason);
+        result = await this.#executeOnlineCriteria(showReason);
     }
 
     return result;
@@ -276,8 +290,8 @@ class Switcher {
     return this;
   }
 
-  async _executeOnlineCriteria(showReason) {
-    if (!this._useSync())
+  async #executeOnlineCriteria(showReason) {
+    if (!this.#useSync())
       return this._executeAsyncOnlineCriteria(showReason);
 
     const responseCriteria = await services.checkCriteria(
@@ -299,17 +313,17 @@ class Switcher {
     return ExecutionLogger.getExecution(this._key, this._input).response.result;
   }
 
-  async _executeApiValidation() {
-    if (this._useSync()) {
-      if (await Switcher._checkHealth() && 
+  async #executeApiValidation() {
+    if (this.#useSync()) {
+      if (await Switcher.#checkHealth() && 
         (!Switcher.context.exp || Date.now() > (Switcher.context.exp * 1000))) {
           await this.prepare(this._key, this._input);
       }
     }
   }
 
-  _executeOfflineCriteria() {
-    const response = checkCriteriaOffline(
+  async #executeOfflineCriteria() {
+    const response = await checkCriteriaOffline(
       this._key, this._input, Switcher.snapshot);
 
     if (Switcher.options.logger) 
@@ -318,12 +332,12 @@ class Switcher {
     return response.result;
   }
 
-  _validateArgs(key, input) {
+  #validateArgs(key, input) {
     if (key) { this._key = key; }
     if (input) { this._input = input; }
   }
 
-  _useSync() {
+  #useSync() {
     return this._delay == 0 || !ExecutionLogger.getExecution(this._key, this._input);
   }
 

src/lib/resolver.js

@@ -1,7 +1,7 @@
 const { processOperation } = require('./snapshot');
 const services = require('../lib/remote');
 
-function resolveCriteria(key, input, { domain }) {
+async function resolveCriteria(key, input, { domain }) {
     let result = true, reason = '';
 
     try {
@@ -10,7 +10,7 @@ function resolveCriteria(key, input, { domain }) {
         }
 
         const { group } = domain;
-        if (!checkGroup(group, key, input)) {
+        if (!(await checkGroup(group, key, input))) {
             throw new Error(`Something went wrong: {"error":"Unable to load a key ${key}"}`);
         }
 
@@ -36,14 +36,14 @@ function resolveCriteria(key, input, { domain }) {
  * @param {*} input strategy if exists
  * @return true if Switcher found
  */
-function checkGroup(groups, key, input) {
+async function checkGroup(groups, key, input) {
     if (groups) {
         for (const group of groups) {
             const { config } = group;
             const configFound = config.filter(c => c.key === key);
 
             // Switcher Configs are always supplied as the snapshot is loaded from components linked to the Switcher.
-            if (checkConfig(group, configFound[0], input)) {
+            if (await checkConfig(group, configFound[0], input)) {
                 return true;
             }
         }
@@ -57,7 +57,7 @@ function checkGroup(groups, key, input) {
  * @param {*} input Strategy input if exists
  * @return true if Switcher found
  */
-function checkConfig(group, config, input) {
+async function checkConfig(group, config, input) {
     if (!config)
         return false;
 
@@ -70,44 +70,44 @@ function checkConfig(group, config, input) {
     }
 
     if (config.strategies) {
-        return checkStrategy(config, input);
+        return await checkStrategy(config, input);
     }
 
     return true;
 }
 
-function checkStrategy(config, input) {
+async function checkStrategy(config, input) {
     const { strategies } = config;
     const entry = services.getEntry(input);
 
     for (const strategy of strategies) {
         if (!strategy.activated) 
             continue;
 
-        checkStrategyInput(entry, strategy);
+        await checkStrategyInput(entry, strategy);
     }
 
     return true;
 }
 
-function checkStrategyInput(entry, { strategy, operation, values }) {
+async function checkStrategyInput(entry, { strategy, operation, values }) {
     if (entry && entry.length) {
         const strategyEntry = entry.filter(e => e.strategy === strategy);
-        if (strategyEntry.length == 0 || !processOperation(strategy, operation, strategyEntry[0].input, values)) {
+        if (strategyEntry.length == 0 || !(await processOperation(strategy, operation, strategyEntry[0].input, values))) {
             throw new CriteriaFailed(`Strategy '${strategy}' does not agree`);
         }
     } else {
         throw new CriteriaFailed(`Strategy '${strategy}' did not receive any input`);
     }
 }
 
-function checkCriteriaOffline(key, input, snapshot) {
+async function checkCriteriaOffline(key, input, snapshot) {
     if (!snapshot) {
         throw new Error('Snapshot not loaded. Try to use \'Switcher.loadSnapshot()\'');
     }
 
     const {  data } = snapshot;
-    return resolveCriteria(key, input, data);
+    return await resolveCriteria(key, input, data);
 }
 
 class CriteriaFailed extends Error {

src/lib/snapshot.js

@@ -1,6 +1,7 @@
 const fs = require('fs');
 const IPCIDR = require('./utils/ipcidr');
 const DateMoment = require('./utils/datemoment');
+const TimedMatch = require('./utils/timed-match');
 const { resolveSnapshot, checkSnapshotVersion } = require('./remote');
 const { CheckSwitcherError } = require('./exceptions');
 const { parseJSON, payloadReader } = require('./utils/payloadReader');
@@ -83,7 +84,7 @@ const OperationsType = Object.freeze({
     HAS_ALL: 'HAS_ALL'
 });
 
-const processOperation = (strategy, operation, input, values) => {
+const processOperation = async (strategy, operation, input, values) => {
     switch(strategy) {
         case StrategiesType.NETWORK:
             return processNETWORK(operation, input, values);
@@ -202,22 +203,16 @@ function processDATE(operation, input, values) {
     }
 }
 
-function processREGEX(operation, input, values) {
+async function processREGEX(operation, input, values) {
     switch(operation) {
-        case OperationsType.EXIST: {
-            for (const value of values) {
-                if (input.match(value)) {
-                    return true;
-                }
-            }
-            return false;
-        }
+        case OperationsType.EXIST:
+            return await TimedMatch.tryMatch(values, input);
         case OperationsType.NOT_EXIST:
-            return !processREGEX(OperationsType.EXIST, input, values);
+            return !(await processREGEX(OperationsType.EXIST, input, values));
         case OperationsType.EQUAL:
-            return input.match(`\\b${values[0]}\\b`) != null;
+            return await TimedMatch.tryMatch([`\\b${values[0]}\\b`], input);
         case OperationsType.NOT_EQUAL:
-            return !processREGEX(OperationsType.EQUAL, input, values);
+            return !(await TimedMatch.tryMatch([`\\b${values[0]}\\b`], input));
     }
 }