Skip to content

Commit

Permalink
fixing reported ReDoS
Browse files Browse the repository at this point in the history
  • Loading branch information
HenrikJoreteg committed Feb 26, 2021
1 parent 3a3ed62 commit c7274a4
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 1 deletion.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,7 @@ properties:

## changelog

- `2.0.1` Addressing a reported regular expression denial of service issue reported by [Sam Sanoop](https://twitter.com/snoopysecurity) of [Snyk](https://snyk.io/) THANK YOU!. The issue was that sending certain input would cause one of the regular expressions we used to lock up and not finish, freezing the process. See the test that was added for details. To be clear, this lib wasn't meant for parsing non-well formed HTML. But, better safe than sorry! So we're fixing it.
- `2.0.0` updated to more modern dependencies/build system. Switched to prettier, etc. No big feature differences, just new build system/project structure. Added support for top level text nodes thanks to @jperl. Added support for comments thanks to @pconerly.
- `1.0.0 - 1.0.3` no big changes, bug fixes and speed improvements.

Expand Down
2 changes: 1 addition & 1 deletion src/parse.js
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
const tagRE = /<[a-zA-Z\-\!\/](?:"[^"]*"['"]*|'[^']*'['"]*|[^'">])*>/g
const tagRE = /<[a-zA-Z\-\!\/](?:"[^"]*"|'[^']*'|[^'">])*>/g
import parseTag from './parse-tag'

// re-used obj for quick lookups of components
Expand Down
16 changes: 16 additions & 0 deletions test/parse.js
Original file line number Diff line number Diff line change
Expand Up @@ -766,3 +766,19 @@ test('simple speed sanity check', function (t) {

t.end()
})

test('ReDoS vulnerability reported by Sam Sanoop of Snyk', function (t) {
const start = Date.now()
// reported problematic string
HTML.parse(
"<!''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''!"
)
// other variant
HTML.parse(
'<!""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""!'
)
const duration = Date.now() - start

t.ok(duration < 100, 'should not hang')
t.end()
})

0 comments on commit c7274a4

Please sign in to comment.