Anyway to fix mathjs vulnerabilities

Question

In math.js there are vulnerabilities where if a person enters a impossible question, 1:999999999999999999999, it will crash the node.js process, any ideas?

The code I use for calculations:

let resp;

    try {
        resp = math.evaluate(args.join(" "))
    } catch (e) {
        return message.channel.send('Please provide a **valid** question')
    }

score 0 · Answer 1 · answered Aug 30 '21 at 20:15

0

You can use a child process for running the calculations and limiting the maximum memory of processes on your OS, if you are using linux on a raspberry pi for example

answered Aug 30 '21 at 20:15

DreamOfCookies

13
1
6

score 0 · Answer 2 · answered Jan 19 '22 at 08:19

0

It's really absurd but if 1:999999999999999999999 is your only concern, I have noticed that / does not cause any problems but : does. So you could replace every : in your calculation with /.

let resp;

try {
    resp = math.evaluate(args.join(" ").replace(/:/g, "/"))
} catch (e) {
    return message.channel.send('Please provide a **valid** question')
}

answered Jan 19 '22 at 08:19

Apollo24

95
9

But I don't know if there are any other impossible calculations that would crash your application. – Apollo24 Jan 19 '22 at 08:20

Anyway to fix mathjs vulnerabilities

2 Answers2