From 511ecc487ea57f554a0d199206a58efbc9cd121c Mon Sep 17 00:00:00 2001
From: Matt Broadstone <mbroadst@gmail.com>
Date: Mon, 26 Feb 2018 15:09:27 -0500
Subject: [PATCH] fix(decimal128): add basic guard against REDOS attacks

This is a naive approach to reducing the efficacy of a REDOS attack
against this module. A refactor of the regular expression or a
custom parser substitute would be ideal, however this solution
suffices as a stopgap until such work is completed.

Many thanks to James Davis who graciously alterted us to the
attack
---
 lib/bson/decimal128.js | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/bson/decimal128.js b/lib/bson/decimal128.js
index 5f0d7533..bdfca481 100644
--- a/lib/bson/decimal128.js
+++ b/lib/bson/decimal128.js
@@ -206,6 +206,13 @@ Decimal128.fromString = function(string) {
   // Read index
   var index = 0;
 
+  // Naively prevent against REDOS attacks.
+  // TODO: implementing a custom parsing for this, or refactoring the regex would yield
+  //       further gains.
+  if (string.length >= 7000) {
+    throw new Error('' + string + ' not a valid Decimal128 string');
+  }
+
   // Results
   var stringMatch = string.match(PARSE_STRING_REGEXP);
   var infMatch = string.match(PARSE_INF_REGEXP);