Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-cmcx-xhr8-3w9p
Advisory fix 1
  • Loading branch information
commenthol committed Feb 20, 2020
2 parents cad8bd4 + e9a1c74 commit 0afd61e
Show file tree
Hide file tree
Showing 2 changed files with 47 additions and 9 deletions.
8 changes: 4 additions & 4 deletions regexes.yaml
Expand Up @@ -1572,7 +1572,7 @@ device_parsers:
# WebBrowser for SmartWatch
# @ref: https://play.google.com/store/apps/details?id=se.vaggan.webbrowser&hl=en
#########
- regex: '\bSmartWatch *\( *([^;]+) *; *([^;]+) *;'
- regex: '\bSmartWatch {0,2}\( {0,2}([^;]+) {0,2}; {0,2}([^;]+) {0,2};'
device_replacement: '$1 $2'
brand_replacement: '$1'
model_replacement: '$2'
Expand Down Expand Up @@ -2584,7 +2584,7 @@ device_parsers:
device_replacement: '$1$2'
brand_replacement: 'Huawei'
model_replacement: '$2'
- regex: '; *([^;/]+) Build[/ ]Huawei(MT1-U06|[A-Z]+\d+[^\);]+)[^\);]*\)'
- regex: '; *([^;/]+) Build[/ ]Huawei(MT1-U06|[A-Z]+\d+[^\);]+)\)'
device_replacement: '$1'
brand_replacement: 'Huawei'
model_replacement: '$2'
Expand Down Expand Up @@ -5126,7 +5126,7 @@ device_parsers:
# HbbTV (European and Australian standard)
# written before the LG regexes, as LG is making HbbTV too
##########
- regex: '(HbbTV)/[0-9]+\.[0-9]+\.[0-9]+ \([^;]*; *(LG)E *; *([^;]*) *;[^;]*;[^;]*;\)'
- regex: '(HbbTV)/[0-9]+\.[0-9]+\.[0-9]+ \( {0,1};(LG)E {0,1};([^;]{0,30})'
device_replacement: '$1'
brand_replacement: '$2'
model_replacement: '$3'
Expand All @@ -5141,7 +5141,7 @@ device_parsers:
- regex: '(HbbTV)/1\.1\.1 \(;;;;;\) Maple_2011'
device_replacement: '$1'
brand_replacement: 'Samsung'
- regex: '(HbbTV)/[0-9]+\.[0-9]+\.[0-9]+ \([^;]*; *(?:CUS:([^;]*)|([^;]+)) *; *([^;]*) *;.*;'
- regex: '(HbbTV)/[0-9]+\.[0-9]+\.[0-9]+ \([^;]{0,30}; {0,1}(?:CUS:([^;]*)|([^;]+)) {0,1}; {0,1}([^;]{0,30})'
device_replacement: '$1'
brand_replacement: '$2$3'
model_replacement: '$4'
Expand Down
48 changes: 43 additions & 5 deletions tests/regexes.js
Expand Up @@ -40,12 +40,50 @@ suite('regexes', function () {
})
})

test('should not backtrack', function () {
var parse = refImpl(regexes).parse
var ua = Array(3200).fill('a').join('')
})

suite('redos', function () {
var parse = refImpl(regexes).parse

function timer () {
var start = Date.now()
return function () {
return Date.now() - start
}
}

function testRedos (ua) {
var time = timer()
parse(ua)
var diff = Date.now() - start
assert.ok(diff < 500, diff)
var diff = time()
assert.ok(diff < 300, diff)
}

test('should not backtrack aaaa..', function () {
testRedos(Array(3200).fill('a').join(''))
})

test('should not backtrack Smartwatch', function () {
testRedos('SmartWatch(' + Array(3500).fill(' ').join('') + 'z')
})

test('should not backtrack HuaweiA', function () {
testRedos(';A Build HuaweiA' + Array(3500).fill('4').join('') + 'z')
})

test('should not backtrack HbbTV LGE', function () {
testRedos('HbbTV/0.0.0 (;LGE;' + Array(3500).fill(' ').join('') + 'z')
})

test('should not backtrack HbbTV CUS', function () {
testRedos('HbbTV/0.0.0 (;CUS:;' + Array(3500).fill(' ').join('') + 'z')
})

test('should not backtrack HbbTV', function () {
testRedos('HbbTV/0.0.0 (;' + Array(3500).fill(' ').join('') + 'z')
})

test('should not backtrack HbbTV z', function () {
testRedos('HbbTV/0.0.0 (;z;' + Array(3500).fill(' ').join('') + 'z')
})
})

0 comments on commit 0afd61e

Please sign in to comment.