Skip to content

fix redos in amp-a4a font allowlist version matching#40517

Open
digi-scrypt wants to merge 1 commit into
ampproject:mainfrom
digi-scrypt:a4a-font-regex-redos
Open

fix redos in amp-a4a font allowlist version matching#40517
digi-scrypt wants to merge 1 commit into
ampproject:mainfrom
digi-scrypt:a4a-font-regex-redos

Conversation

@digi-scrypt

Copy link
Copy Markdown
  1. ALLOWED_FONT_REGEX in head-validation.js tests link[rel=stylesheet] href values pulled from third-party AMPHTML ad creative heads.
  2. its version-number part uses ([0-9]+.?)+, which backtracks catastrophically (ReDoS) on a long digit run followed by a tail that fails the rest of the alternative, so an ad creative can freeze the rendering page main thread.
  3. swapped the three version sites to the linear [0-9]+(?:.[0-9]+)*.? form, which matches the same version strings.

have we considered the worst case here: on the .../releases/v path, 28 digits + a bad tail already costs ~30ms, 34 digits ~2s, and it doubles every extra two digits; the rewritten regex stays under 0.01ms even at 1000 digits while still accepting 5.4.55 / 4.7.0 / v5.15.4 style URLs.

@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.


digi-scrypt seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants