New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RegExp performance #107
Projects
Comments
Also, REDOS. |
larsgw
added a commit
that referenced
this issue
May 11, 2018
larsgw
added a commit
that referenced
this issue
May 11, 2018
Fix some of the regexes flagged by the eslint REDOS plugin. See #107
larsgw
added a commit
that referenced
this issue
May 11, 2018
Fix some of the regexes flagged by the eslint REDOS plugin. See #107
larsgw
added a commit
that referenced
this issue
May 11, 2018
Since Citation.js uses quite a few of regexes, from input validation, to parsing, to editting HTML right before outputting (sorry). These can be vulnerable to exponential backtracking, possibly leading to REDOS (Regular Expression Denial Of Service) issues, as kindly reported by James Davis (@davisjam). This commits adds tests to checks regexes for backtracking vulnerabilities. It also 'fixes' all regexes flagged by these tests. Note that with these changes, some checks are less strict. However, this shouldn't cause problems, as false positives are still rare. If any problems do occur, please report at https://github.com/larsgw/citation.js/issues See #107
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Citation.js relies pretty heavily on RegExp (for now at least) and Babel, so this might be a it of an issue. Luckily, there's a workaround: most behaviour that uses RegExp is input parsing, which is now exchangeable with custom parsers.
The text was updated successfully, but these errors were encountered: