marked

codewalker/marked

Fork 0

Commit Graph

Author	SHA1	Message	Date
Jamie Davis	b15e42b67c	security: fix regexes vulnerable to catastrophic backtracking Problem: Four regexes were vulnerable to catastrophic backtracking. This leaves markdown servers open to a potential REDOS attack. Solution: Refactor the regexes. For two similar regexes (html) I didn't change the language. For two similar regexes (noline) I slightly changed the language: ![[[[[[[[[[[]] was accepted by the old noline pattern. It is now rejected. All tests pass, though I'm not sure if I've broken something that was untested. This addresses #1070 (with #1058 along the way). Bonus: rename a stray test to use _ instead of -.	2018-02-26 21:03:55 -05:00

Author

SHA1

Message

Date

Jamie Davis

b15e42b67c

security: fix regexes vulnerable to catastrophic backtracking

Problem:
Four regexes were vulnerable to catastrophic backtracking.
This leaves markdown servers open to a potential REDOS attack.

Solution:
Refactor the regexes.

For two similar regexes (html) I didn't change the language.
For two similar regexes (noline) I slightly changed the language:

![[[[[[[[[[[]] was accepted by the old noline pattern.
It is now rejected.

All tests pass, though I'm not sure if I've broken something that
was untested.

This addresses #1070 (with #1058 along the way).

Bonus: rename a stray test to use _ instead of -.

2018-02-26 21:03:55 -05:00

1 Commits