Prevent ReDoS attack. Validate url, wildcard or regex. Update error m…

…essages

_locales/en/messages.json

@@ -802,7 +802,7 @@
 		"message": "unblocked"
 	},
 	"white_black_list_error_invalid_url": {
-		"message": "Please enter a valid URL."
+		"message": "Please enter a valid URL, regex, or wildcard"
 	},
 	"whitelist_error_blacklist_url": {
 		"message": "This site has been removed from your Restricted Sites list and added to your Trusted Sites list."
@@ -1058,7 +1058,7 @@
 		"message": "Trusted Sites"
 	},
 	"settings_sites_placeholder": {
-		"message": "example.com"
+		"message": "example.com (wildcards/regex supported)"
 	},
 	"settings_restricted_sites": {
 		"message": "Restricted Sites"

app/panel/components/Settings/TrustAndRestrict.jsx

@@ -12,6 +12,7 @@
  */
 
 import React from 'react';
+import safe from 'safe-regex';
 import Sites from './Sites';
 /**
  * @class Implement Trust and Restrict subview presenting the lists
@@ -119,10 +120,12 @@ class TrustAndRestrict extends React.Component {
 		pageHost = pageHost.toLowerCase().replace(/^(http[s]?:\/\/)?(www\.)?/, '');
 
 		// Check for Validity
-		if (pageHost.length >= 2083) {
+		if (pageHost.length >= 2083
+			|| !this.isValidUrlWildcardOrRegex(pageHost)) {
 			this.showWarning(t('white_black_list_error_invalid_url'));
 			return;
 		}
+
 		// Check for Duplicates
 		if (list.includes(pageHost)) {
 			this.showWarning(duplicateWarning);
@@ -137,6 +140,39 @@ class TrustAndRestrict extends React.Component {
 		this.props.actions.updateSitePolicy({ type: listType, pageHost });
 	}
 
+	isValidUrlWildcardOrRegex(pageHost) {
+		// Check for valid URL
+		// from node-validator
+		const isValidUrlRegex = /^(?!mailto:)(?:(?:https?|ftp):\/\/)?(?:\S+(?::\S*)?@)?(?:(?:(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\u00a1-\uffff0-9]+-?)*[a-z\u00a1-\uffff0-9]+)(?:\.(?:[a-z\u00a1-\uffff0-9]+-?)*[a-z\u00a1-\uffff0-9]+)*(?:\.(?:[a-z\u00a1-\uffff]{2,})))|localhost)(?::\d{2,5})?(?:\/[^\s]*)?$/i;
+		if (isValidUrlRegex.test(pageHost)) return true;
+
+
+		// Check for valid wildcard
+		const escapedPattern = pageHost.replace(/[|\\{}()[\]^$+*?.-]/g, '\\$&');
+		const wildcardPattern = escapedPattern.replace(/\*/g, '.*');
+		let isValidWildcard = true;
+		try {
+			// eslint-disable-next-line
+			new RegExp(wildcardPattern);
+		} catch {
+			isValidWildcard = false;
+		}
+
+		if (isValidWildcard) return true;
+
+		// Prevent ReDoS attack
+		if (!safe(pageHost)) return false;
+
+		// Check for valid regex
+		try {
+			// eslint-disable-next-line
+			new RegExp(pageHost);
+		} catch {
+			return false;
+		}
+		return false;
+	}
+
 	/**
 	 * Save current warning in state.
 	 * @param  {string} warning 	 warning to save

package.json

@@ -64,6 +64,7 @@
     "redux-object": "^0.5.10",
     "redux-thunk": "^2.2.0",
     "rsvp": "^4.8.5",
+    "safe-regex": "^2.1.1",
     "spanan": "^2.0.0",
     "ua-parser-js": "^0.7.21",
     "underscore": "^1.9.2",

src/classes/Policy.js

@@ -177,23 +177,23 @@ class Policy {
 	}
 
 	/**
-	 * Check given url against pattern which might be a regex, or a wildcard
+	 * Check given url against pattern which might be a wildcard, or a regex
 	 * @param  {string} url		site url
 	 * @param  {string} pattern	regex pattern
 	 * @return {boolean}
 	 */
 	matchesWildcardOrRegex(url, pattern) {
+		// Input string might be a wildcard
 		const escapedPattern = pattern.replace(/[|\\{}()[\]^$+*?.-]/g, '\\$&');
-
-		// Input string might be a regex
-		const regex = RegExp(escapedPattern);
-		if (regex.test(url)) { return true; }
-
-		// or a wildcard
 		const wildcardPattern = escapedPattern.replace(/\*/g, '.*');
 		const wildcardRegex = RegExp(wildcardPattern);
+
 		if (wildcardRegex.test(url)) { return true; }
 
+		// or a regex
+		const regex = RegExp(pattern);
+		if (regex.test(url)) { return true; }
+
 		return false;
 	}
 }

yarn.lock

@@ -7086,6 +7086,11 @@ regexp-quote@0.0.0:
   resolved "https://registry.yarnpkg.com/regexp-quote/-/regexp-quote-0.0.0.tgz#1e0f4650c862dcbfed54fd42b148e9bb1721fcf2"
   integrity sha1-Hg9GUMhi3L/tVP1CsUjpuxch/PI=
 
+regexp-tree@~0.1.1:
+  version "0.1.19"
+  resolved "https://registry.yarnpkg.com/regexp-tree/-/regexp-tree-0.1.19.tgz#9326e91d8d1d23298dd33a78cf5e788f57cdc359"
+  integrity sha512-mVeVLF/qg5qFbZSW0f7pXbuVX73dKIjuhOyC2JLKxzmpya75O4qLcvI9j0jp31Iz7IAkEVHa1UErDCAqaLKo5A==
+
 regexp.prototype.flags@^1.2.0, regexp.prototype.flags@^1.3.0:
   version "1.3.0"
   resolved "https://registry.yarnpkg.com/regexp.prototype.flags/-/regexp.prototype.flags-1.3.0.tgz#7aba89b3c13a64509dabcf3ca8d9fbb9bdf5cb75"
@@ -7373,6 +7378,13 @@ safe-regex@^1.1.0:
   dependencies:
     ret "~0.1.10"
 
+safe-regex@^2.1.1:
+  version "2.1.1"
+  resolved "https://registry.yarnpkg.com/safe-regex/-/safe-regex-2.1.1.tgz#f7128f00d056e2fe5c11e81a1324dd974aadced2"
+  integrity sha512-rx+x8AMzKb5Q5lQ95Zoi6ZbJqwCLkqi3XuJXp5P3rT8OEc6sZCJG5AE5dU3lsgRr/F4Bs31jSlVN+j5KrsGu9A==
+  dependencies:
+    regexp-tree "~0.1.1"
+
 "safer-buffer@>= 2.1.2 < 3", safer-buffer@^2.0.2, safer-buffer@^2.1.0, safer-buffer@~2.1.0:
   version "2.1.2"
   resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a"