Regular expression DoS (ReDoS) can be triggered using mermaid script

[debajyotisaikia1]

Description

It was discovered that a regular expression DoS (ReDoS) can be triggered. Mermaid allows the styles applied to a diagram to be set from a style or classDef keyword. However, since the regular expressions used to extract these keywords are problematic, if a crafted string is passed, then it will take a long time to calculate the matching process, and the Teams UI will become unusable as a result.

Steps to reproduce

Steps to reproduce:

1. Execute one of the following pieces of JavaScript on Chrome's DevTools. The payload will be saved to the clipboard.

PoC #1:
copy(flowchart TD ${'style'.repeat(400) + '#;' + ':'.repeat(400) + '#'.repeat(400)});

PoC #2:
copy(flowchart TD ${'classDef'.repeat(400) + '#;' + ':'.repeat(400) + '#'.repeat(400)});

2. The mermaid script/code is in your clipboard now. Paste it in a mermaid editor.

The vulnerable regular expressions were found in the Mermaid library's code, and are highlighted below:
Affected file:
https://github.com/mermaid-js/mermaid/blob/ d602240/packages/mermaid/src/utils.ts#L898-L903

Affected code:
txt = txt.replace( /style.:\S#.*;/g, function(s): string {
return s.substring(0, s.length - 1);
});

txt = txt.replace( /classDef.:\S#.*;/g, function(s): string {
return s.substring(0, s.length - 1);
});

This issue is present even in the latest version of the Mermaid library. As can be seen, the issue can also be reproduced in the Mermaid Live Editor.

Screenshots

No response

Code Sample

Setup

• Mermaid version:
• Browser and Version: [Chrome, Edge, Firefox]

Suggested Solutions

No response

Additional Context

No response