Permalink
Browse files

fix vulnerable pattern in trim http://stackstatus.net/post/1477106246…

1 parent 642041f commit 4a58f5c12582796b3c7e0ad784630fc6be56b92d @leafo committed Jul 21, 2016
Showing with 18 additions and 2 deletions.
  1. +6 −1 lapis/util.lua
  2. +7 −1 lapis/util.moon
  3. +5 −0 spec/util_spec.moon
View
@@ -167,7 +167,12 @@ uniquify = function(list)
end)()
end
trim = function(str)
- return tostring(str):match("^%s*(.-)%s*$")
+ str = tostring(str)
+ if #str > 200 then
+ return str:gsub("^%s+", ""):reverse():gsub("^%s+", ""):reverse()
+ else
+ return str:match("^%s*(.-)%s*$")
+ end
end
trim_all = function(tbl)
for k, v in pairs(tbl) do
View
@@ -102,7 +102,13 @@ uniquify = (list) ->
seen[item] = true
item
-trim = (str) -> tostring(str)\match "^%s*(.-)%s*$"
+trim = (str) ->
+ str = tostring str
+
+ if #str > 200
+ str\gsub("^%s+", "")\reverse()\gsub("^%s+", "")\reverse()
+ else
+ str\match "^%s*(.-)%s*$"
trim_all = (tbl) ->
for k,v in pairs tbl
View
@@ -250,6 +250,11 @@ tests = {
}
{
+ -> util.trim " hello#{" "\rep 20000}world "
+ "hello#{" "\rep 20000}world"
+ }
+
+ {
-> util.trim_filter {
" ", " thing ",
yes: " "

0 comments on commit 4a58f5c

Please sign in to comment.