Skip to content

Commit

Permalink
Fix SonarQube security issues: Denial of Service (DoS)
Browse files Browse the repository at this point in the history
  • Loading branch information
@JamsonChan
JamsonChan committed May 9, 2024
1 parent bf8c889 commit 28433af
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 7 deletions.
12 changes: 6 additions & 6 deletions zul/src/main/resources/web/js/zul/db/datefmt.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -254,9 +254,9 @@ var DateFmt = {
hasHour1 = hasAM && (fmt.includes('h') || fmt.includes('K')),
isAM,
ts = _parseTextToArray(txt, fmt),
regexp = /.*\D.*/,
regexp = /^\d+$/,
// ZK-2026: Don't use isNaN(), it will treat float as number.
isNumber = !regexp.test(txt),
isNumber = regexp.test(txt),
eras = localizedSymbols.ERAS,
era: zk.LocalizedSymbols.ErasElementType | undefined,
eraKey: string | undefined;
Expand Down Expand Up @@ -303,7 +303,7 @@ var DateFmt = {
}

// ZK-1985: Determine if token contains non-digital word when nonLenient is true.
if (nonLenient && token && regexp.test(token))
if (nonLenient && token && !regexp.test(token))
return;

if (!isNaN(nv = _parseInt(token))) {
Expand Down Expand Up @@ -403,7 +403,7 @@ var DateFmt = {
token = _parseToken(token, ts, --i, len);

// ZK-1985: Determine if token contains non-digital word when nonLenient is true.
if (nonLenient && token && regexp.test(token))
if (nonLenient && token && !regexp.test(token))
return;

if (!isNaN(nv = _parseInt(token))) {
Expand All @@ -427,7 +427,7 @@ var DateFmt = {
token = _parseToken(token, ts, --i, len);

// ZK-1985: Determine if token contains non-digital word when nonLenient is true.
if (nonLenient && token && regexp.test(token))
if (nonLenient && token && !regexp.test(token))
return;

if (!isNaN(nv = _parseInt(token)))
Expand All @@ -445,7 +445,7 @@ var DateFmt = {
token = _parseToken(token, ts, --i, len);

// ZK-1985: Determine if token contains non-digital word when nonLenient is true.
if (nonLenient && token && regexp.test(token))
if (nonLenient && token && !regexp.test(token))
return;

if (!isNaN(nv = _parseInt(token))) {
Expand Down
13 changes: 12 additions & 1 deletion zul/src/main/resources/web/js/zul/inp/SimpleConstraint.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ export class SimpleConstraint extends zk.Object {
if (hasEndingSlash) {
var restCst = cst.substring(k + 1),
// match zero-or-more character, until reaching a comma or a semicolon or end of string.
regexFlags: string | undefined = restCst.match(/.*?(?=,|:|$)/)![0].trim();
regexFlags: string | undefined = this._extractCst(restCst);
if (regexFlags) {
if (regexFlags.includes('d') || regexFlags.includes('y'))
zk.error('unsupported regex flags in constraint: ' + cst);
Expand Down Expand Up @@ -322,6 +322,17 @@ export class SimpleConstraint extends zk.Object {
return msg || msgzul.ILLEGAL_VALUE;
}

/** @internal */
_extractCst(restCst: string): string {
for (let i = 0, n = restCst.length; i < n; i++) {
const c = restCst.charAt(i);
if (',' == c || ':' == c) {
return restCst.substring(0, i).trim();
}
}
return restCst.trim();
}

reparseConstraint(): void {
this._finishParseCst = false;
}
Expand Down

0 comments on commit 28433af

Please sign in to comment.