fix:Potential ReDoS Vulnerability or Inefficient Regular Expression in Project: Need for Assessment and Mitigation

[mmmsssttt404]

Q	A
Bug fix?	yes
New feature?	no
BC breaks?	no
Deprecations?	no
Tests pass?	yes
Fixed tickets
License	MIT
Doc PR	https://github.com/pm2-hive/pm2-hive.github.io/pulls

Steps to reproduce
Hello,

I am writing to report a potential Regular Expression Denial of Service (ReDoS) vulnerability or Inefficient Regular Expression in the project. When using specially crafted input strings in the context, it may lead to extremely high CPU usage, application freezing, or denial of service attacks.

Location of Issue:

The vulnerability is related to a regular expression used in the following validation file, which may result in significantly prolonged execution times under certain conditions.

https://github.com/mmmsssttt404/pm2/blob/d0e7801184bcf98b7c93ffecc77c623df6ffa22f/lib/tools/Config.js#L204

PoC Files and Comparisons:
gist:https://gist.github.com/mmmsssttt404/407e2ffe3e0eaa393ad923a86316a385
use time:

Proposed Solution:
Change the regular expression to

((?<![\w\-])([\w\-]+\="[^"]*")|(?<![\w\-])([\w\-]+\='[^']*')|"([^"]*)"|'([^']*)'|\s )

change:

steps:
1.git clone https://github.com/mmmsssttt404/pm2.git
2.cd pm2
3.git checkout development
4.npm install
5.change regex
6.bash test/unit.sh

Thank you for your attention to this matter. Your evaluation and response to this potential security concern would be greatly appreciated.

Best regards,

Search keywords: ReDoS

[CLAassistant]

All committers have signed the CLA.

[xqin]

_valid 是内部方法，仅在 Config.validateJSON 中被调用， Config.validateJSON 的调用方传入的数据 是来自 使用者自己传入的配置项生成的，何着自己DDOS自己算漏洞？

那 写段 nodejs 脚本执行任意命令或者跑个死循环，就可以提 nodejs 官方提 BUG 了吗？

看了一下你的 gist 中的 POC，都是类似的，拿这个套路在 github 上刷 PR 吗？

https://gist.github.com/mmmsssttt404