Skip to content

Commit

Permalink
Merge pull request from GHSA-rrrm-qjm4-v8hf
Browse files Browse the repository at this point in the history 
* fix: fix reflink redos

Co-authored-by: MakeNowJust <make.just.on@gmail.com>

* fix: fix def redos

Co-authored-by: MakeNowJust <make.just.on@gmail.com>

* fix block label for multiple slashes

Co-authored-by: MakeNowJust <make.just.on@gmail.com>
  • Loading branch information
@UziTech @makenowjust
UziTech and makenowjust committed Jan 13, 2022
1 parent d7212a6 commit c4a3ccd
Show file tree
Hide file tree
Showing 4 changed files with 17 additions and 4 deletions.
13 changes: 9 additions & 4 deletions src/rules.js
View file
Expand Up @@ -25,7 +25,7 @@ export const block = {
+ '|<(?!script|pre|style|textarea)([a-z][\\w-]*)(?:attribute)*? */?>(?=[ \\t]*(?:\\n|$))[\\s\\S]*?(?:(?:\\n *)+\\n|$)' // (7) open tag
+ '|</(?!script|pre|style|textarea)[a-z][\\w-]*\\s*>(?=[ \\t]*(?:\\n|$))[\\s\\S]*?(?:(?:\\n *)+\\n|$)' // (7) closing tag
+ ')',
def: /^ {0,3}\[(label)\]: *\n? *<?([^\s>]+)>?(?:(?: +\n? *| *\n *)(title))? *(?:\n+|$)/,
def: /^ {0,3}\[(label)\]: *(?:\n *)?<?([^\s>]+)>?(?:(?: +(?:\n *)?| *\n *)(title))? *(?:\n+|$)/,
table: noopTest,
lheading: /^([^\n]+)\n {0,3}(=+|-+) *(?:\n+|$)/,
// regex template, placeholders will be replaced according to different paragraph
Expand All @@ -34,7 +34,7 @@ export const block = {
text: /^[^\n]+/
};

block._label = /(?!\s*\])(?:\\[\[\]]|[^\[\]])+/;
block._label = /(?!\s*\])(?:\\.|[^\[\]\\])+/;
block._title = /(?:"(?:\\"?|[^"\\])*"|'[^'\n]*(?:\n[^'\n]+)*\n?'|\([^()]*\))/;
block.def = edit(block.def)
.replace('label', block._label)
Expand Down Expand Up @@ -162,8 +162,8 @@ export const inline = {
+ '|^<![a-zA-Z]+\\s[\\s\\S]*?>' // declaration, e.g. <!DOCTYPE html>
+ '|^<!\\[CDATA\\[[\\s\\S]*?\\]\\]>', // CDATA section
link: /^!?\[(label)\]\(\s*(href)(?:\s+(title))?\s*\)/,
reflink: /^!?\[(label)\]\[(?!\s*\])((?:\\[\[\]]?|[^\[\]\\])+)\]/,
nolink: /^!?\[(?!\s*\])((?:\[[^\[\]]*\]|\\[\[\]]|[^\[\]])*)\](?:\[\])?/,
reflink: /^!?\[(label)\]\[(ref)\]/,
nolink: /^!?\[(ref)\](?:\[\])?/,
reflinkSearch: 'reflink|nolink(?!\\()',
emStrong: {
lDelim: /^(?:\*+(?:([punct_])|[^\s*]))|^_+(?:([punct*])|([^\s_]))/,
Expand Down Expand Up @@ -230,6 +230,11 @@ inline.link = edit(inline.link)

inline.reflink = edit(inline.reflink)
.replace('label', inline._label)
.replace('ref', block._label)
.getRegex();

inline.nolink = edit(inline.nolink)
.replace('ref', block._label)
.getRegex();

inline.reflinkSearch = edit(inline.reflinkSearch, 'g')
Expand Down
4 changes: 4 additions & 0 deletions test/specs/redos/cubic_def.cjs
View file
@@ -0,0 +1,4 @@
module.exports = {
markdown: `[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`,
html: `<p>[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x</p>`,
};
1 change: 1 addition & 0 deletions test/specs/redos/reflink_redos.html
View file
@@ -0,0 +1 @@
<p>[[]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([</p>
3 changes: 3 additions & 0 deletions test/specs/redos/reflink_redos.md
View file
@@ -0,0 +1,3 @@
[x]: x

[\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\]([

1 comment on commit c4a3ccd

@vercel
Copy link

@vercel vercel bot commented on c4a3ccd Jan 13, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Successfully deployed to the following URLs:

Please sign in to comment.