Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No RexExp parser #100

Merged
merged 6 commits into from
Feb 24, 2018
Merged

No RexExp parser #100

merged 6 commits into from
Feb 24, 2018

Conversation

stash-sfdc
Copy link
Contributor

I have nothing against RegExps in general, but for security conscious code, there's too many pitfalls.

This pull-request is about converting from using mostly RegExp to using mostly native JavaScript code. The main cookie parser and the RFC-compliant date parser are most affected.

When tough-cookie was originally written, the RegExps were used because it seemed easier to maintain. This pull request certainly increases the code complexity, but does so in the hopes that maintaining the RegExps would have been more time-consuming in the long run.

As a bonus, it seems that the pure JavaScript version is about 1 to 2% faster than the RegExp one, based on the time it takes to run the entire tough-cookie test suite (7.0s versus 6.9s now).

@stash-sfdc
2.3.3
12d4266
@stash-sfdc
Parse cookie-pair part without regexp
c9bd79d 
Specifically to avoid any more hidden ReDoS in those regexes.

Seems to run tests in 6.9s vs 7.0s so might be a bit of a speed bonus on
some platforms!
@stash-sfdc
Avoid unbounded Regexp parts in date parsing
2a4775c 
Replaces a bunch of `[^\d]*$` with bounded `(?:[^\d]|$)`

Double checked the RFC6265 spec: time cannot have non-digits beside the
colons.
@stash-sfdc
More String#repeat polyfill
8614dbf
@stash-sfdc
Convert date-time parser from regexp, expand tests
8452ccd 
None of the regexps (at least, when they were removed) are vulnerable to
ReDoS. However, took this opportunity to check that the RFC is being
closer and more clearly documented where in the code.

Another way to put this: "regexps are magic and hinder code analysis"

Introduced some equivalence tests to ensure that certain "weird" dates
are indeed parsing the same as their "canonical" RFC6265 counterpart.
@stash-sfdc
Document removal of 256 space limit
751da6d
@stash-sfdc stash-sfdc mentioned this pull request Sep 26, 2017
Merged
@awaterma awaterma self-requested a review December 18, 2017 04:41
@awaterma awaterma self-assigned this Dec 18, 2017
@stash stash merged commit 7564c06 into master Feb 24, 2018
@stash
Copy link
Collaborator

stash commented Feb 26, 2018

Integration tested request, jsdom, and zombie.

@awaterma
Copy link
Member

awaterma commented Mar 5, 2018

Looks good. Thanks for merging.

This was referenced Mar 15, 2021
Open
Merged
Merged
wjhsf pushed a commit that referenced this pull request Feb 8, 2024
Prerelease --> master for Winter '20 (#100)
84b2b7a 
* Winter '20 (API 47.0) prep

* 0.6.0

* use node LTS in CI

* Prerelease 0.6.1 (#98)

* 0.6.1-alpha1

* wip: synthetic shadow dep

* wip: add testEnvironment to preset

* update yargs for security alert (#90)

* update yargs for security alert

* fix test

* Bump eslint-utils from 1.3.1 to 1.4.2 (#89)

Bumps [eslint-utils](https://github.com/mysticatea/eslint-utils) from 1.3.1 to 1.4.2.
- [Release notes](https://github.com/mysticatea/eslint-utils/releases)
- [Commits](mysticatea/eslint-utils@v1.3.1...v1.4.2)

Signed-off-by: dependabot[bot] <[email protected]>

* Update input stub to support "autocomplete" property (#92)

* Update to include date-style and time-style attributes (#94)

* 0.6.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@awaterma awaterma Awaiting requested review from awaterma awaterma is a code owner

Assignees

@awaterma awaterma

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@stash-sfdc @stash @awaterma