Hello and welcome to secure Javascript programming with Vladimir torture camp., If you are here, I expect. You have seen the previous video about regular expressions in this video, we will see How regular expression can bring 29 years of service. This is an attack or of berg known as regular expression, denial of service or redos actually computing the result of a regular expression against a strain. Whatever the method used to do that is a synchronous task, meaning it takes place in the current thread and blocks it. The thing is, Javascript is a single threaded language meaning that you can do only one thing synchronously at the same time, of course you can use walker thread web worker or service worker to paralyze. But by default you will be in your single threat that's why Javascript as so many awesome as increased CPK because otherwise it would not be able to do things concurrently. The principle of Free does is that Red X is currently blocking the main threat and prevent the script from doing other things. One easy way to actually test reduce is a no Js so let me show you a small salary built that's a server. You better string at the end of the URL so let's say hello world it's better when I started in the world and it tells you that the last world of this sentence is world. If I do hello, it will tell you that it is hello and if I do hello World of Gs I promise that's what's here, if I removed you and cutting. Home is great better not always when you're giving your line crosses Where it will return as 12 JS. Now it is something where we put the string AA okay \so far so good that ex the string but let's put an invented character at the end. It tells us in varied string because it doesn't want any special character but let me add a few days. Okay, so far so good, all right, so far still so good. Yeah, okay you see it start to takes a bit more time to compute and now I have read him some A's and it takes much more time to respond. It said even more A's and right now the server is blocked if I want to cool and just a It is not responding. The server is blocked, it cannot respond because the main thread, the single thread is currently blocked by regular expression taking a very very very long time to run it. Just give it a few more seconds but I don't expect that to stop in a decent course of time. Okay, so let's say you're facing that either in the brother either in a no Js application and you don't really know that there is a regular expression in your path. You just see something a very slow and blocking everything. Well there's actually a good method for testing for this if you use the CPU profiler. So I will start the notes server with dash dash inspect and that's actually just is the equivalent of opening the deaf tools on on a web page. So right now my server is running and I will go and chrome such slash inspect and I will get the deV tools for this server. If I was to debunk that in the browser if I was trying to debug something in a browser, I would just click inspect and I will get the same death tools. So right now I am connected to my new GS instance so if I do consulted look hello, it will actually also look here in my process. You have multiple tools here you can use and when we'll use these pro failure so we click and start see pupil failing and now we can run if you of the cools and let's have the one that fails of course allow states. Yeah, okay this one was too short this one is long and very blocky and very buggy. So it takes ages to run and our CPU profiling is still going on let's stop CPU pro failing and we see that we have a view where it tells us the things that took time. The first view you need to be familiar with when you do see people failing is actually the review, this view actually leased the function calls in the order that happened. So you can zoom in something with the scholar and here you see an http request getting into the app that calls the method parsa and have your complete then it calls the app method which is actually in the express framework to think dispatching the request handle. We see some Next that are the next two passes parameters in express and then we can go down we see some drizin passing and we see the circuit that rate further response. Okay but this one was not actually a problematical this one is you see, look at the top we see that we've got a bigger chunk. We call that an island an island of code here we see oracle to up and ill and all of that means the function up colder function and all. Is that called the function and all that called next is that called the function process program that called an anonymous function. And you see the time taken by all function and by default, apparent function, apparent function time, execution time is its own computer time plus the competent time of its children fictions. So in our case the function name get Lost world, that's weird and here we have the top of the stack, the top of the island, which is actually the part that is responsible for our application. Being in a state of denial of service let me just have myself a bit here the eight defectors are very nice because the evil tell us which reggae X is actually responsible for all of that. This view makes sense if you want to check things on a special time frame, but if you want to see aggregated time, you can go to bottom up bottom app will some the time spent calling the same function again. So all controls, all calls have been actually summed to obtain half a millisecond, that's why it's called total time. So if we we get it by a total time, of course, we've got a program at the top we've got a lot of functions because functions are longer when their Children are longer. But we can see that we find back these rejects and V eight even tell us which rejects cities. And by clicking on it, we can have Tzekel stack to know why it has been called. Okay, that doesn't help us that much but if we click here and and the part that looks like a stack trace, it actually Texas directly to the code of the server and enriched that with cold times. So I'm not sure why this one's not 30 seconds, but they're So this touring enabled us to identify that there was a single reason for our application to be slow here. In no case it's a reggae X, but it could be, for instance Jason passing recently, someone contacted me and tell me, hey, Vlad my application is really slow. It looks like it's about readies ready is being a synchronization, it's no GSEPI it was unlikely but they were actually storing huge Jason's directly and ready. So where they were losing time is when they go to Jason has a string from readies and we're passing it and by using the CPU profile error there were able to identify that it was a single Jason that pass. Cool, that was actually responsible sorry for the small immigration let's go back to regular, so the question is, why is this regular so slow? Well, this regular X actually contains something that's called catastrophic backtracking. It means that there is a double repetition that actually makes the algorithm the radio X algorithm very slow because it has to loop over and over on all items. And when it loops it takes actually an exponential growing time to compute it, so let me give you an example, let's take four A's. And the dollar sign tells us no match zero milliseconds, if I add a few A's still zero milliseconds, I add a few days I get one milliseconds to match. I had one extra most till when one more and I added one more and I went from 1 to 3 minutes, seconds too much. I had one more and I went to three from 3 to 7, 7 to 13, 13 to 26, we double this time 26 to 48, 93 almost 200 milliseconds. Let me out of user of them, it takes time okay, timed out favorite Jews, what's the higher we can get? I won't be better than a transition really so good I think so the issue in this rejects is that it's matching world without special characters. And here because of this double capturing group, it has to try all the possibilities in that string and because it has to trade all the possibilities, adding one single character. Actually grew the number of things by a factor your principal, so either I remove the bad part in the string and the catastrophic backtracking is not enabled. That's not a hijack that is condemned to be bad it depends on its input either. I moved to for instance another gigs and jean, so went from go along named Harry to actually is not really able to catastrophic backtracking at all. And the good news is that it's slightly being parted two V 8 and will soon be available in no Js and comma Okay. What are the way to protect yourself against catastrophic backtracking? Well, maybe one of the first tradition is to know about it, so there's a model named redos it's a very old one and I would not recommend using it. I would recommend you use safe red x but x ray gets doesn't have a cli and that does what I want. So I will just show you what I want to his readers I installed the readers, might you look at it? I go to node module been reduce, why isn't it too, who forget to save it? That model that pain reduce and no, I say several Dgs and here it actually detected through static and ISIS that this rejects might be dangerous. Actually, the safe rejects module by my good friend, Jimmy Davis is much better for this kind of thing. Another thing you can do is to use a very handy actus when it's from no Js Suddenly there's actually a way to limit the execution time of a synchronous block of JavaScript code. It's like a very super secret feature of no genius, but you can use the VM class to run an arbitrary script and when you call run in V eight, you can in VM module you can pass an option object that has a time out value. And this time out value will actually be able to use to block the execution of a sectionals chunk of JavaScript code. So, last way to actually protect against reduce injection readers readers. Sorry, is to not choose regular expression so either never write your regular expressions that currently the position from sneak they tell you you should not right rejects yourself either. You can find a way to not even need rigs, so here the good of this is to find the last elements in a string. The last word in a string, well another solution would be to do cons split equals split str that split then you police and then you oops You get the last one. So you have the last world that you want to make sure it doesn't contain a special character. Well in that case you just do regular expression equals this, you don't get the double thing. You are actually sure that this is already the last world in the sentence. So last set of character in the sentence because you split on a white space and you assure you could split on regular expression but you can also split on a sub string and then you run this much simpler rag x. That check that you are on the right alphabet and here you removed a vulnerability to regular expression denial of service, thanks so much for watching this video. There are a few very important part into it first of all don't trust regular expressions, so only you try to avoid them as much as you can. Thirdly, if you have a performance issue, the good way of doing fixing it of detecting it is not to try stuff. It's to open the CPU profiler, this is the tool designs that will tell you the most the quickest where your Venera is your problem in performance stands. I hope you enjoy this video, thanks so much for watching the IT and see you soon, in another course.
