HashWithOptions regex matches invalid attributes

[rtkdpalozzi]

Bug Description

it looks like the regex at https://github.com/nodejs/undici/blob/main/lib/fetch/util.js#L604 (/((?<algo>sha256|sha384|sha512)-(?<hash>[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i) is incorrect in a few different ways. A-z will also match [\]^_ which are invalid base64 characters, and the range [A-z0-9+/] is only matched once anyways - the second character and all others until any padding are matched via .*. i didn't fully read the spec but i believe the latter half, ( +[\x21-\x7e]?)?, is also incorrect and won't accurately match the option-expression

Reproducible By

N/A

Expected Behavior

The regex should only match valid integrity attributes and no other values.

Logs & Screenshots

N/A

Environment

N/A

Additional context

• https://w3c.github.io/webappsec-subresource-integrity/#the-integrity-attribute

[KhafraDev]

Would you like to send in a PR? Remember to add tests.

[Uzlopak]

@nodejs/undici

The PR got merged, so this issue is solved ;)