From d4c450829dc6d91bf0adc157b3628c00a87f7c5d Mon Sep 17 00:00:00 2001
From: Alan Agius <alanagius@google.com>
Date: Fri, 24 Feb 2023 15:09:08 +0000
Subject: [PATCH] fix(@angular-devkit/build-angular): improve parsing of error
 messages

Webpack errors can sometimes be several hundred of thousands of characters long as it may contain the entire bundle. This can cause a ReDoS. This change improves the way we parse and remove stack traces from error messages.

Closes #24771
---
 .../angular_devkit/build_angular/src/webpack/utils/stats.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/packages/angular_devkit/build_angular/src/webpack/utils/stats.ts b/packages/angular_devkit/build_angular/src/webpack/utils/stats.ts
index 3e3a64407316..d23ac4d7f89c 100644
--- a/packages/angular_devkit/build_angular/src/webpack/utils/stats.ts
+++ b/packages/angular_devkit/build_angular/src/webpack/utils/stats.ts
@@ -412,9 +412,9 @@ export function statsErrorsToString(
       // In most cases webpack will add stack traces to error messages.
       // This below cleans up the error from stacks.
       // See: https://github.com/webpack/webpack/issues/15980
-      const message = statsConfig.errorStack
-        ? error.message
-        : /[\s\S]+?(?=\n+\s+at\s)/.exec(error.message)?.[0] ?? error.message;
+      const index = error.message.search(/[\n\s]+at /);
+      const message =
+        statsConfig.errorStack || index === -1 ? error.message : error.message.substring(0, index);
 
       if (!/^error/i.test(message)) {
         output += r('Error: ');