fix(decimal128): add basic guard against REDOS attacks

This is a naive approach to reducing the efficacy of a REDOS attack against this module. A refactor of the regular expression or a custom parser substitute would be ideal, however this solution suffices as a stopgap until such work is completed. Many thanks to James Davis who graciously alterted us to the attack
mongodb · Feb 26, 2018 · 511ecc4 · 511ecc4
1 parent 095fba9
commit 511ecc4
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/lib/bson/decimal128.js b/lib/bson/decimal128.js
@@ -206,6 +206,13 @@ Decimal128.fromString = function(string) {
   // Read index
   var index = 0;
 
+  // Naively prevent against REDOS attacks.
+  // TODO: implementing a custom parsing for this, or refactoring the regex would yield
+  //       further gains.
+  if (string.length >= 7000) {
+    throw new Error('' + string + ' not a valid Decimal128 string');
+  }
+
   // Results
   var stringMatch = string.match(PARSE_STRING_REGEXP);
   var infMatch = string.match(PARSE_INF_REGEXP);