-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Data uri validation #1510
Data uri validation #1510
Conversation
Hey, just a word to tell you I'm not ignoring you. I see value in this one but the 2nd regex opens up for a ReDoS vulnerability, so I'm scratching my head with a few others to find a way out, but maybe there's none, so we might need to go for a half validation there. Just let us think about this one for a while, but if you have a solution I'd be glad to read it. |
HI! First of all, thank you for your comment, never heard of ReDoS before ^^' And I think I see why you said the second regex can be an evil one. I must admit somthing: I haven't write this one by myself. I have just copied the base64 one just before you can find here: 14d4319#diff-d91d658f77d8b9da32acdedc3b5950d0R451 So, now did the two are evils regexp, or the two are good? The difference is if the I cannot say if this is a really good idea or not. I looked at the pull request #1156 adding the evil regex and see not comment about it. I add a commit avoiding the evil request and requiring the padding (I have no idea what it is) allowing us to maybe merge this request. Maybe the pull request #1156 need to be challenged? |
(I can remove this commit on demand if you think the regex is not evil). |
Oh... That regex was already there then, ahah... 😅 |
Option added, exactly the same way the base64 option. |
I know this is not easy to be a maintainer (I used to be a 3000+ stars project main maintainer). But no news about this PR. Is it forgotten (so there is ping)? Or should I modify something? Thank you! edit: Or simply not an important PR, understandable. |
Thanks. And sorry for the forgotten documentation update. |
This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions. |
Hi there!
Maybe you'll find this completely useless, or, I hope, useful, but in many of my projects, I use the data URI format to send pictures between my clients and my APIs.
This format is not so simple to validate, and just a regex is not sufficient. This is why I propose to add this validation:
string().dataUri()
.I do not now what order may be the best, so I put it just near the
base64
as the use may be for some people quite the same.Do not hesitate if you have any questions!
Thank you!