Fix ReDoS in parse_date#33
Merged
Merged
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #33 +/- ##
==========================================
+ Coverage 89.70% 91.30% +1.59%
==========================================
Files 1 1
Lines 68 69 +1
Branches 29 30 +1
==========================================
+ Hits 61 63 +2
+ Misses 1 0 -1
Partials 6 6 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
2fbfb1e to
0173966
Compare
Contributor
|
That seems like a much better fix than the regex changes. But is 128 bytes too long? I would think 64 is probably enough. |
Member
Author
|
Agreed — lowered the cap to 64. The longest format the module recognizes is around |
parse_date() -- and str2time(), which delegates to it -- used regexes with ambiguous adjacent greedy runs (year/clock/timezone digits and timezone/ASCII-timezone letters) before a trailing anchor. A valid-looking date prefix followed by a long interior run of digits, letters, or whitespace and a trailing junk character forced O(N^2) backtracking, so a ~100 KB string burned tens of seconds of CPU: a denial of service. Guard parse_date() with an up-front length check (reject input longer than 64 characters) so hostile strings are rejected before any regex runs. The check is on the untrimmed string, so no work happens on padded input. The cap is a hardcoded security limit, not a tunable: every format the module recognizes is far shorter, and the parsing regexes still contain adjacent unbounded quantifiers, so raising it would demand re-benchmarking against hostile input. The cap also bounds the substring later handed to Time::Zone. Add t/redos.t covering the guard, the exact length boundary, and the digit, letter, and whitespace DoS vectors. Fixes CVE-2026-14741. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
0173966 to
624f773
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
parse_date() -- and str2time(), which delegates to it -- used regexes with
ambiguous adjacent greedy runs (year/clock/timezone digits and
timezone/ASCII-timezone letters) before a trailing anchor. A valid-looking
date prefix followed by a long interior run of digits, letters, or whitespace
and a trailing junk character forced O(N^2) backtracking, so a ~100 KB string
burned tens of seconds of CPU: a denial of service.
Guard parse_date() with an up-front length check ($HTTP::Date::MAX_LENGTH,
128 by default) so hostile input is rejected before any regex runs. The check
is on the untrimmed string, so no work happens on padded input, and the limit
is read defensively -- a nonsensical value (undef/zero/negative) falls back to
the default rather than silently rejecting every date. Every format the module
recognizes is far shorter than the limit, which is configurable for unusual
needs. The cap also bounds the substring later handed to Time::Zone.
Add t/redos.t covering the guard, the exact length boundary, and the digit,
letter, and whitespace DoS vectors.
Fixes CVE-2026-14741.
Co-Authored-By: Claude Opus 4.8 noreply@anthropic.com