Fix two exponential regex backtracking vulnerabilities

ESCAPED_CHAR already matches `\\`, so matching it again in another alternative was causing exponential complexity explosion. This makes the following behavior changes: * `[foo\\\]` is no longer incorrectly accepted as a link reference. * `<foo\>` is no longer incorrectly accepted as an angle-bracketed link destination. Fixes commonmark#157. Signed-off-by: Anders Kaseorg <[email protected]>
andersk · Mar 10, 2019 · f29e64c · f29e64c
1 parent 2052768
commit f29e64c
Showing 1 changed file with 3 additions and 7 deletions.
diff --git a/lib/inlines.js b/lib/inlines.js
@@ -45,8 +45,7 @@ var reLinkTitle = new RegExp(
         '|' +
         '\\((' + ESCAPED_CHAR + '|[^)\\x00])*\\))');
 
-var reLinkDestinationBraces = new RegExp(
-    '^(?:[<](?:[^<>\\n\\\\\\x00]' + '|' + ESCAPED_CHAR + '|' + '\\\\)*[>])');
+var reLinkDestinationBraces = /^(?:<(?:[^<>\n\\\x00]|\\.)*>)/;
 
 var reEscapable = new RegExp('^' + ESCAPABLE);
 
@@ -78,8 +77,7 @@ var reInitialSpace = /^ */;
 
 var reSpaceAtEndOfLine = /^ *(?:\n|$)/;
 
-var reLinkLabel = new RegExp('^\\[(?:[^\\\\\\[\\]]|' + ESCAPED_CHAR +
-  '|\\\\){0,1000}\\]');
+var reLinkLabel = /^\[(?:[^\\\[\]]|\\.){0,1000}\]/;
 
 // Matches a string of non-special characters.
 var reMain = /^[^\n`\[\]\\!<&*_'"]+/m;
@@ -524,9 +522,7 @@ var parseLinkDestination = function() {
 // Attempt to parse a link label, returning number of characters parsed.
 var parseLinkLabel = function() {
     var m = this.match(reLinkLabel);
-    // Note:  our regex will allow something of form [..\];
-    // we disallow it here rather than using lookahead in the regex:
-    if (m === null || m.length > 1001 || /[^\\]\\\]$/.exec(m)) {
+    if (m === null || m.length > 1001) {
         return 0;
     } else {
         return m.length;