Fix catastrophic backtracking in IAL regex #125
Conversation
|
Thank you this looks serious, hopefully I can release this during the weekend |
|
Lets try to check this and release ASAP |
|
@martosaur I would not be unhappy to relinguish control maintainership of this The young are just faster and smarter, I know this still is not the simplest code to maintain, but asking just in case. Maybe you just want commit rights, all you need is to ask ;) Your application and colaboration is greatly appreciated. |
|
BTW I am 61, overworked and (hopefully not seriously) sick right now, so I start searching, maybe I'll make an annonce in some near future. |
|
1.4.31 release, thanx again |
|
@RobertDober thank you for all the work you put into this repo! I don't think I can pull off being a maintainer in a truly OS fashion, but luckily enough, I do this as part of my day job so maybe we could step in as an organization! I'll start the discussion within the team. |
The last version protects against a potential DoS attack on IALs c.f. RobertDober/earmark_parser#125
Steps to reproduce:
String.duplicate("a", 500_000) |> EarmarkParser.Helpers.extract_ial()Unless you're running a supercomputer, the operation will stall and begin to hoard memory.
The root cause is that IAL regex is doing the "catastrophic backtracking". I couldn't find a way to prevent this while still matching the line before the IAL, so instead I changed the regex to only match IAL and used
Regex.splitto extract the line. Let me know if you see a better solution!We initially ran into this bug while parsing a file with base64-encoded image, so I added a test for exactly this test case.