Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Zod email validation blocks the main thread in version 3.22.2 #2787

Closed
SpongeBed81 opened this issue Sep 24, 2023 · 9 comments
Closed

Zod email validation blocks the main thread in version 3.22.2 #2787

SpongeBed81 opened this issue Sep 24, 2023 · 9 comments

Comments

@SpongeBed81
Copy link

Here is the version 3.21.4 of Zod:

zod-3.21.4.mp4

And here is the version 3.22.2:

zod-3.22.2.mp4

here is the demo code:

<script>
    import { z } from 'zod';

    let emailVal = '';

    let success;
    let counter = 0;

    $: {
        success = z.string().email().safeParse(emailVal).success;
        counter++;
    }
</script>

<input type="text" bind:value={emailVal} />
<p>success: {success} | {counter}</p>

and I also tried something like this:

<script>
    import { z } from 'zod';
    import { onMount } from 'svelte';

    onMount(() => {
        console.log(z.string().email().safeParse('a'.repeat(50)).success);
    });
</script>

Both of them blocks the main thread and the second code doesn't even let me to see the page.

When I opened the performance tab in devtools I noticed it is doubling the time it takes the complete the task every time when I enter a new character to the input.

chrome_yMIe5E2Et1

task time
1 10ms
2 19.33ms
3 38.42ms
4 75.17ms
5 151ms
6 299.96ms
7 598.56ms
8 1.21s
@JulienZD
Copy link

It's vulnerable to ReDoS attacks, as also mentioned in this issue. The linked issue contains a workaround by manually defining a zod string with a regex to parse the email address.

@SpongeBed81
Copy link
Author

It's vulnerable to ReDoS attacks, as also mentioned in this issue. The linked issue contains a workaround by manually defining a zod string with a regex to parse the email address.

Thanks for your reply. I noticed both of the versions are problematic. In version 3.22.2 it blocks the main thread if you do what I did in the provided video. But in 3.21.4 if you type "noreply1@1-90y790o645vz81zq6287dhb9x1x28ab4q521nuv7b1og4y9c3q.5r-h8uter0.sc016.case.sandbox.salesforce.com" it will also block the main thread. This email is provided in issue #2580 . Currently I am converting z.email()'s to a regex one as you mentioned.

Currently both versions looks problematic and I didn't find any better way without using a regex.

@MrKoopie
Copy link

We can reproduce this error as well. Downgrading to 3.21.4 fixed it for us.

@MacsDickinson
Copy link
Contributor

have a PR in for #2609 which should resolve this - #2824

@SpongeBed81
Copy link
Author

have a PR in for #2609 which should resolve this - #2824

Thanks for your contribution. I will wait for your PR to get merged 😄

@SpongeBed81
Copy link
Author

We can reproduce this error as well. Downgrading to 3.21.4 fixed it for us.

It fixes the bug in the latest version but version 3.21.4 also has a bug that also blocks the main thread as I said. So, be careful 😉

@taos15
Copy link

taos15 commented Oct 2, 2023

Does that PR address this NVD ?

@SpongeBed81
Copy link
Author

SpongeBed81 commented Oct 2, 2023
edited

Does that PR address this NVD ?

Yes

@tylerd-canva tylerd-canva mentioned this issue Oct 3, 2023
Closed
@colinhacks
Copy link
Owner

Fixed by #2824

Landed in Zod v3.22.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@MacsDickinson @colinhacks @MrKoopie @JulienZD @SpongeBed81 @taos15