DataTables
Advanced interaction
features for your tables.
Editor
Comprehensive editing
library for DataTables.
Manual
Download
Show site navigation

ReDoS vulnerability

ReDoS vulnerability

UserWert1234UserWert1234 Posts: 1Questions: 1Answers: 0
in Free community support

Hi everyone,

I’m using DataTables StateRestore v1.4.1 and noticed this line in the source dataTables.stateRestore.js:

if (key.match(new RegExp('^DataTables_stateRestore_.*_' + location.pathname + '$')) || ...)

Since location.pathname is directly interpolated into a RegExp, I’m concerned this could be vulnerable to Regular Expression Denial of Service (ReDoS) if the pathname contains special regex characters.

I’m looking for guidance on how to fix this safely. I was thinking about escaping location.pathname before using it in the RegExp, but I’m not sure

Has anyone else encountered this, or can suggest a safe way to handle location.pathname in this context without introducing ReDoS?

Thanks in advance!

Answers

  • allanallan Posts: 65,056Questions: 1Answers: 10,772 Site admin

    The path name is something that you control, so unless the DataTable is in a page which has a dynamic URL that the user has the ability to change (and allowed special characters), there isn't really an issue. That said, looking at it, there is no need for a regex there, startsWith and endsWith are good enough for this and side step the issue entirely.

    I've committed a fix which will be in the next release.

    Thanks for flagging this up.

    Allan

Sign In or Register to comment.

DataTables

DataTables designed and created by SpryMedia Ltd.
© 2007-2025 MIT licensed. Privacy policy. Supporters.
SpryMedia Ltd is registered in Scotland, company no. SC456502.