GHSA-f45g-68q3-5w8x

Impact

t.String({ format: 'url' }) is vulnerable to redos

Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly

'http://a'.repeat(n)

Here's a table demonstrating how long it takes to process repeated partial url format | n repeat | elapsed_ms | | --- | --- | | 1024 | 33.993 | | 2048 | 134.357 | | 4096 | 537.608 | | 8192 | 2155.842 | | 16384 | 8618.457 | | 32768 | 34604.139 |

Patches

Patched by 1.4.26, please kindly update elysia to >= 1.4.26

Here's how long it takes after the patch | n repeat | elapsed_ms | | --- | --- | | 1024 | 0.194 | | 2048 | 0.274 | | 4096 | 0.455 | | 8192 | 0.831 | | 16384 | 1.632 | | 32768 | 3.052 |

Workarounds

1. It's recommended to always limit URL format to a reasonable length

   t.String({
       format: 'url',
       maxLength: 288
   })
   

2. If a long URL format is necessary, to patch this without updating to 1.4.26, add the following code to any part of your codebase

   import { FormatRegistry } from '@sinclair/typebox'
   
   FormatRegistry.Delete('url')
   FormatRegistry.Set('url', (value) =>
       /^(?:https?|ftp):\/\/(?:[^\s:@]+(?::[^\s@]*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)(?:\.(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu.test(
           value
       )
   )