Skip to content

Commit

Permalink
security: fix regexes vulnerable to catastrophic backtracking
Browse files Browse the repository at this point in the history
Problem:
Four regexes were vulnerable to catastrophic backtracking.
This leaves markdown servers open to a potential REDOS attack.

Solution:
Refactor the regexes.

For two similar regexes (html) I didn't change the language.
For two similar regexes (noline) I slightly changed the language:

![[[[[[[[[[[]] was accepted by the old noline pattern.
It is now rejected.

All tests pass, though I'm not sure if I've broken something that
was untested.

This addresses markedjs#1070 (with markedjs#1058 along the way).

Bonus: rename a stray test to use _ instead of -.
  • Loading branch information
davisjam committed Feb 27, 2018
1 parent fa3998a commit ed5df2b
Show file tree
Hide file tree
Showing 7 changed files with 6 additions and 4 deletions.
8 changes: 4 additions & 4 deletions lib/marked.js
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ block._tag = '(?!(?:'
block.html = edit(block.html)
.replace('comment', /<!--[\s\S]*?-->/)
.replace('closed', /<(tag)[\s\S]+?<\/\1>/)
.replace('closing', /<tag(?:"[^"]*"|'[^']*'|\s[^'"\/>]*)*?\/?>/)
.replace('closing', /<tag(?:"[^"]*"|'[^']*'|\s[^'"\/>\s]*)*?\/?>/)
.replace(/tag/g, block._tag)
.getRegex();

Expand Down Expand Up @@ -461,10 +461,10 @@ var inline = {
escape: /^\\([\\`*{}\[\]()#+\-.!_>])/,
autolink: /^<(scheme:[^\s\x00-\x1f<>]*|email)>/,
url: noop,
tag: /^<!--[\s\S]*?-->|^<\/?[a-zA-Z0-9\-]+(?:"[^"]*"|'[^']*'|\s[^<'">\/]*)*?\/?>/,
tag: /^<!--[\s\S]*?-->|^<\/?[a-zA-Z0-9\-]+(?:"[^"]*"|'[^']*'|\s[^<'">\/\s]*)*?\/?>/,
link: /^!?\[(inside)\]\(href\)/,
reflink: /^!?\[(inside)\]\s*\[([^\]]*)\]/,
nolink: /^!?\[((?:\[[^\]]*\]|\\[\[\]]|[^\[\]])*)\]/,
nolink: /^!?\[((?:\[[^\[\]]*\]|\\[\[\]]|[^\[\]])*)\]/,
strong: /^__([\s\S]+?)__(?!_)|^\*\*([\s\S]+?)\*\*(?!\*)/,
em: /^_([^\s_](?:[^_]|__)+?[^\s_])_\b|^\*((?:\*\*|[^*])+?)\*(?!\*)/,
code: /^(`+)\s*([\s\S]*?[^`]?)\s*\1(?!`)/,
Expand All @@ -481,7 +481,7 @@ inline.autolink = edit(inline.autolink)
.replace('email', inline._email)
.getRegex()

inline._inside = /(?:\[[^\]]*\]|\\[\[\]]|[^\[\]]|\](?=[^\[]*\]))*/;
inline._inside = /(?:\[[^\[\]]*\]|\\[\[\]]|[^\[\]]|\](?=[^\[]*\]))*/;
inline._href = /\s*<?([\s\S]*?)>?(?:\s+['"]([\s\S]*?)['"])?\s*/;

inline.link = edit(inline.link)
Expand Down
File renamed without changes.
File renamed without changes.
Empty file.
1 change: 1 addition & 0 deletions test/new/redos_html_closing.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<tag "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""<" />a'a
Empty file added test/new/redos_nolink.html
Empty file.
1 change: 1 addition & 0 deletions test/new/redos_nolink.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
![\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]!\

0 comments on commit ed5df2b

Please sign in to comment.