When parsing untrusted rulex expressions, rulex may crash, possibly enabling a Denial of Service attack. This happens when the expression contains a multi-byte UTF-8 code point in a string literal or after a backslash, because rulex tries to slice into the code point and panics as a result.
This is a security concern for you, if - your service parses untrusted rulex expressions (expressions provided by an untrusted user), and - your service becomes unavailable when the thread running rulex panics.
The crashes are fixed in version 0.4.3. Affected users are advised to update to this version.
You can use catch_unwind
to recover from panics.
If you have any questions or comments about this advisory: * Open an issue in rulex * Email me at ludwig.stecher@gmx.de
Credit for finding these bugs goes to
{ "nvd_published_at": "2022-06-27T22:15:00Z", "github_reviewed_at": "2022-06-21T20:12:15Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-617" ] }