DNS_REGEX Can Hang Node Process

[astorm]

Problem description

We noticed that it's possible to hang (or seemingly hang) the entire node process with some common (if invalid) hostname/endpoint values. We discovered this while writing some validation code for our own hostname/endpoint values. This was with the grpc@grpc-js project.

The problem seems to be this regular expression

const DNS_REGEX = /^(?:dns:)?(?:\/\/(?:[a-zA-Z0-9-]+\.?)+\/)?((?:[a-zA-Z0-9-]+\.?)+)(?::(\d+))?$/;

and its execution here

const dnsMatch = DNS_REGEX.exec(target);

Reproduction steps

We can reproduce the problem we saw with the behavior of @grpc/grpc-js via this small program. Happy to put together a reproduction with @grpc/grpc-js if you'all think that would be helpful.

const main = () => {
  // host name with an extra port accidentally left on 
  const target = 'foo-internal.aws-us-east-2.tracing.staging-edge.foo-data.net:443:443'
  const DNS_REGEX = /^(?:dns:)?(?:\/\/(?:[a-zA-Z0-9-]+\.?)+\/)?((?:[a-zA-Z0-9-]+\.?)+)(?::(\d+))?$/
  DNS_REGEX.exec(target)
}
main()

The hostname foo-internal.aws-us-east-2.tracing.staging-edge.foo-data.net seems pathologic, but it's based on a legitimate hostname we've been asked to use.

Steps:

1. Run the above program with NodeJS 8, 10, or 12

Expected Behavior: Program exits normally

Actual Behavior: Program hangs for at least 2 minutes, likely longer

Environment

• MacOS 10.13/10.14and Ubuntu 18.04
• Nodes 8, 10, and 12
• Nodes 10 and 12 installed via nvm, Node 8 installed via apt-get install nodejs
• grpc/grpc-js@0.8.1

Additional context

Something something NFA backtracking.