Merge pull request from GHSA-7wwv-vh3v-89cq

* enh(tests) analyze regex for catastrophic backtracking * allow testing individual languages * fix(routeros) resolve potential exponential backtracking issue * fix(powershell) resolve potential exponential backtracking issue * fix(erlang-repl) resolve backtracking issue * fix(r) resolve backtracking issue * fix(jboss-cli) resolve backtracking issue * (lint) perl * fix(perl) resolve exponential backtracking issue * fix(gams) resolve exponential backtracking issue * (lint) c-like * fix(handlebars) resolve exponential backtracking issue * fix(cpp) resolve exponential backtracking issue * fix(sqf) fix poly backtracking issue - The `_` case should already be handled by `_+` * fix(xquery) fix poly backtracking issue * fix(ruleslanguage) fix poly backtracking issue The extra expression here does not matter since it was purely optional (`*`). The important thing is gobbling up the `#` to prevent it from stealing relevance. And `\s+` gets that done on it's own. * fix(markdown) fix poly backtracking issue - Fix poly backtracking with code blocks * fix(dsconfig) fix poly backtracking issue Not 100% sure what the original intent of \S was since it seems that valueless properties wouldn't have a trailing `:` and why should we include the letter after as part of the match? That means that now there is an edge case that we handle slightly differently property:"quoted value" The `:` will not be highlighted (as it was before). This is a problem for another day when someone who knows about dsconfig shows up. * fix(x86asm) fix poly backtracking issue * fix(yaml) fix poly backtracking issue * fix(livecodeserver) fix poly backtracking issue * fix(fortran) fix poly backtracking issue * fix(fortran/irpf90) fix poly backtracking issue * fix(ruby) fix poly backtracking issues - Fix poly backtracking issue with RVM_PROMPT. - Fix poly backtracking issue with heredocs. * fix(ebnf) fix poly backtracking issue * fix(basic) fix poly backtracking issue * fix(elixir) fix poly backtracking issue * fix(crystal) fix poly backtracking issue * fix(scilab) fix poly backtracking issue * fix(csharp) fix poly backtracking issue * fix(coffee/livescript) fix poly backtracking issue - Fix issue with optional params for anonymous functions * fix(moonscript) fix poly backtracking issue * fix(aspectj) fix poly backtracking issue * fix(d) fix poly backtracking issue * fix(gcode) fix poly backtracking issue * fix(kotlin) fix poly backtracking issue No explanation for what this `illegal` is trying to accomplish to without that data, just remove it. * fix(kotlin) fix poly backtracking issue - Use same numeric mode rules as for Java * fix(asciidoc) fix poly backtracking issue * fix(javascript/typescript) fix poly backtracking issue - Fix poly backtracking issue in gnarly `()` counting regex * fix(latex) fix poly backtracking issue * fix(reasonml) fix poly backtracking issue - fix typo/bug with using `s` vs `\s` (string vs regex mistake) - simply `[pattern]?[pattern]?` to just `[pattern]{0,2}` - fix ambiguous `\s*` poly issues * enh(ci): Add tests for polynomial regex issues
highlightjs · Dec 3, 2020 · 373b9d8 · 373b9d8
1 parent 6a0c9f8
commit 373b9d8
Show file tree

Hide file tree

Showing 49 changed files with 1,034 additions and 235 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -29,6 +29,53 @@ Grammar improvements:
 [tripleee]: https://github.com/tripleee
 
 
+## Version 10.4.1 (tentative)
+
+Security
+
+- (fix) Exponential backtracking fixes for: [Josh Goebel][]
+  - cpp
+  - handlebars
+  - gams
+  - perl
+  - jboss-cli
+  - r
+  - erlang-repl
+  - powershell
+  - routeros
+- (fix) Polynomial backtracking fixes for: [Josh Goebel][]
+  - asciidoc
+  - reasonml
+  - latex
+  - kotlin
+  - gcode
+  - d
+  - aspectj
+  - moonscript
+  - coffeescript/livescript
+  - csharp
+  - scilab
+  - crystal
+  - elixir
+  - basic
+  - ebnf
+  - ruby
+  - fortran/irpf90
+  - livecodeserver
+  - yaml
+  - x86asm
+  - dsconfig
+  - markdown
+  - ruleslanguage
+  - xquery
+  - sqf
+
+Very grateful to [Michael Schmidt][] for all the help.
+
+[Michael Schmidt]: https://github.com/RunDevelopment
+[Josh Goebel]: https://github.com/joshgoebel
+
+
 ## Version 10.4.0
 
 A largish release with many improvements and fixes from quite a few different contributors.  Enjoy!

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -64,6 +64,7 @@
     "jsdom": "^16.4.0",
     "lodash": "^4.17.20",
     "mocha": "^8.2.1",
+    "refa": "^0.4.1",
     "rollup": "^2.33.1",
     "should": "^13.2.3",
     "terser": "^5.3.8",

diff --git a/src/languages/asciidoc.js b/src/languages/asciidoc.js
@@ -172,7 +172,7 @@ export default function(hljs) {
       },
       // images and links
       {
-        begin: '(link:)?(http|https|ftp|file|irc|image:?):\\S+\\[.*?\\]',
+        begin: '(link:)?(http|https|ftp|file|irc|image:?):\\S+?\\[[^[]*?\\]',
         returnBegin: true,
         contains: [
           {

diff --git a/src/languages/aspectj.js b/src/languages/aspectj.js
@@ -115,7 +115,7 @@ export default function(hljs) {
       {
         // the function class is a bit different for AspectJ compared to the Java language
         className: 'function',
-        begin: /\w+ +\w+(\.)?\w+\s*\([^\)]*\)\s*((throws)[\w\s,]+)?[\{;]/,
+        begin: /\w+ +\w+(\.\w+)?\s*\([^\)]*\)\s*((throws)[\w\s,]+)?[\{;]/,
         returnBegin: true,
         end: /[{;=]/,
         keywords: KEYWORDS,

diff --git a/src/languages/basic.js b/src/languages/basic.js
@@ -45,7 +45,7 @@ export default function(hljs) {
       {
         // Match typed numeric constants (1000, 12.34!, 1.2e5, 1.5#, 1.2D2)
         className: 'number',
-        begin: '\\b([0-9]+[0-9edED\.]*[#\!]?)',
+        begin: '\\b\\d+(\\.\\d+)?([edED]\\d+)?[#\!]?',
         relevance: 0
       },
       {