From c7274a48e59c92b2b7e906fedf9065159e73fe12 Mon Sep 17 00:00:00 2001 From: Henrik Joreteg Date: Fri, 26 Feb 2021 10:37:18 -0800 Subject: [PATCH] fixing reported ReDoS --- README.md | 1 + src/parse.js | 2 +- test/parse.js | 16 ++++++++++++++++ 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b06e4dd..6386f1e 100644 --- a/README.md +++ b/README.md @@ -135,6 +135,7 @@ properties: ## changelog +- `2.0.1` Addressing a reported regular expression denial of service issue reported by [Sam Sanoop](https://twitter.com/snoopysecurity) of [Snyk](https://snyk.io/) THANK YOU!. The issue was that sending certain input would cause one of the regular expressions we used to lock up and not finish, freezing the process. See the test that was added for details. To be clear, this lib wasn't meant for parsing non-well formed HTML. But, better safe than sorry! So we're fixing it. - `2.0.0` updated to more modern dependencies/build system. Switched to prettier, etc. No big feature differences, just new build system/project structure. Added support for top level text nodes thanks to @jperl. Added support for comments thanks to @pconerly. - `1.0.0 - 1.0.3` no big changes, bug fixes and speed improvements. diff --git a/src/parse.js b/src/parse.js index b862197..05f636d 100644 --- a/src/parse.js +++ b/src/parse.js @@ -1,4 +1,4 @@ -const tagRE = /<[a-zA-Z\-\!\/](?:"[^"]*"['"]*|'[^']*'['"]*|[^'">])*>/g +const tagRE = /<[a-zA-Z\-\!\/](?:"[^"]*"|'[^']*'|[^'">])*>/g import parseTag from './parse-tag' // re-used obj for quick lookups of components diff --git a/test/parse.js b/test/parse.js index 2a9fa9e..930475b 100644 --- a/test/parse.js +++ b/test/parse.js @@ -766,3 +766,19 @@ test('simple speed sanity check', function (t) { t.end() }) + +test('ReDoS vulnerability reported by Sam Sanoop of Snyk', function (t) { + const start = Date.now() + // reported problematic string + HTML.parse( + "