prevent Regular Expression Denial of Service attacks

index.js

@@ -28,21 +28,21 @@ var rgb2hex = module.exports = function rgb2hex(color) {
     /**
      * parse input
      */
-    var digits = /rgba?\((\d+),(\d+),(\d+)(,(\d+)?\.?(\d+))?\);?/.exec(strippedColor);
+    var digits = /(.*?)rgb(a)??\((\d{1,3}),(\d{1,3}),(\d{1,3})(,[01]??\.([0-9]{0,3}))??\)/.exec(strippedColor);
 
     if(!digits) {
         // or throw error if input isn't a valid rgb(a) color
         throw new Error('given color (' + color + ') isn\'t a valid rgb or rgba color');
     }
 
-    var red = parseInt(digits[1], 10);
-    var green = parseInt(digits[2], 10);
-    var blue = parseInt(digits[3], 10);
-    var alpha = digits[4] ? /([0-9\.]+)/.exec(digits[4])[0] : '1';
+    var red = parseInt(digits[3], 10);
+    var green = parseInt(digits[4], 10);
+    var blue = parseInt(digits[5], 10);
+    var alpha = digits[6] ? /([0-9\.]+)/.exec(digits[6])[0] : '1';
     var rgb = ((blue | green << 8 | red << 16) | 1 << 24).toString(16).slice(1);
 
     // parse alpha value into float
-    if(alpha.substr(0,1) === '.') {
+    if(alpha.substr(0,2) === ',.') {
         alpha = parseFloat('0' + alpha);
     }
 
@@ -58,4 +58,4 @@ var rgb2hex = module.exports = function rgb2hex(color) {
         hex: '#' + rgb.toString(16),
         alpha: alpha
     };
-};
+};

rgb2hex.js

@@ -21,21 +21,21 @@
         /**
          * parse input
          */
-        var digits = /rgba?\((\d+),(\d+),(\d+)(,(\d+)?\.?(\d+))?\);?/.exec(strippedColor);
+        var digits = /(.*?)rgb(a)??\((\d{1,3}),(\d{1,3}),(\d{1,3})(,[01]??\.([0-9]{0,3}))??\)/.exec(strippedColor);
 
         if(!digits) {
             // or throw error if input isn't a valid rgb(a) color
             throw new Error('given color (' + color + ') isn\'t a valid rgb or rgba color');
         }
 
-        var red = parseInt(digits[1], 10);
-        var green = parseInt(digits[2], 10);
-        var blue = parseInt(digits[3], 10);
-        var alpha = digits[4] ? /([0-9\.]+)/.exec(digits[4])[0] : '1';
+        var red = parseInt(digits[3], 10);
+        var green = parseInt(digits[4], 10);
+        var blue = parseInt(digits[5], 10);
+        var alpha = digits[6] ? /([0-9\.]+)/.exec(digits[6])[0] : '1';
         var rgb = ((blue | green << 8 | red << 16) | 1 << 24).toString(16).slice(1);
 
         // parse alpha value into float
-        if(alpha.substr(0,1) === '.') {
+        if(alpha.substr(0,2) === ',.') {
             alpha = parseFloat('0' + alpha);
         }
 

test/rgb2hex.test.js

@@ -80,10 +80,22 @@ describe('rgb2hex should', () => {
         })
 
         it('by limiting alpha value to 1', () => {
-            var input = 'rgba(12,173,22,12312.67)'
+            var input = 'rgba(12,173,22,1.67)'
             expect(rgb2hex(input).alpha).not.toBeGreaterThan(1)
         })
 
+        it('by not accepting to big values', () => {
+            var input = 'rgba(1123, 54, 4, 0.33)'
+            expect(() => rgb2hex(input)).toThrow(invalidErrorMessage(input))
+            input = 'rgba(113, 1154, 4, 0.33)'
+            expect(() => rgb2hex(input)).toThrow(invalidErrorMessage(input))
+            input = 'rgba(113, 154, 1114, 0.33)'
+            expect(() => rgb2hex(input)).toThrow(invalidErrorMessage(input))
+            input = 'rgba(113, 54, 4, 2.33)'
+            expect(() => rgb2hex(input)).toThrow(invalidErrorMessage(input))
+            input = 'rgbaaaaaa(113, 54, 4, .33)'
+            expect(() => rgb2hex(input)).toThrow(invalidErrorMessage(input))
+        })
     })
 
     describe('not care about', () => {
@@ -132,4 +144,4 @@ describe('rgb2hex should', () => {
             expect(rgb2hex(`${values}rgba(226,230,233,0.4)${values}`).hex)
         })
     })
-})
+})