Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security: fix REDOS vulnerabilities #1083

Merged
merged 2 commits into from
Feb 27, 2018
Merged

Commits on Feb 27, 2018

  1. security: fix regexes vulnerable to catastrophic backtracking

    Problem:
    Four regexes were vulnerable to catastrophic backtracking.
    This leaves markdown servers open to a potential REDOS attack.
    
    Solution:
    Refactor the regexes.
    
    For two similar regexes (html) I didn't change the language.
    For two similar regexes (noline) I slightly changed the language:
    
    ![[[[[[[[[[[]] was accepted by the old noline pattern.
    It is now rejected.
    
    All tests pass, though I'm not sure if I've broken something that
    was untested.
    
    This addresses markedjs#1070 (with markedjs#1058 along the way).
    
    Bonus: rename a stray test to use _ instead of -.
    davisjam committed Feb 27, 2018
    Configuration menu
    Copy the full SHA
    b15e42b View commit details
    Browse the repository at this point in the history
  2. test: add time check

    Fail tests that take more than 1 second
    davisjam committed Feb 27, 2018
    Configuration menu
    Copy the full SHA
    2846212 View commit details
    Browse the repository at this point in the history