Restrict pattern for space-separated arguments in glob embed regex (#92)

* Add test to reproduce ReDoS in glob regex * Restrict pattern for space-separated arguments in glob regex * Add to changelog
digitalocean · Jan 16, 2024 · 39a3836 · 39a3836
1 parent 9f82063
commit 39a3836
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,7 @@ Any non-code changes should be prefixed with `(docs)`.
 See `PUBLISH.md` for instructions on how to publish a new version.
 -->
 
+- (patch) Fix ReDoS in glob embed rule regex
 - (patch) Dependency updates
 - (patch) Mark markdown-it as a peer dependency
 

diff --git a/rules/embeds/glob.js b/rules/embeds/glob.js
@@ -1,5 +1,5 @@
 /*
-Copyright 2022 DigitalOcean
+Copyright 2024 DigitalOcean
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -78,7 +78,7 @@ module.exports = md => {
         if (closingMark === -1) return false;
 
         // Check for glob match
-        const match = currentLines.slice(0, closingMark + 3).match(/^\[glob (.+?(?:(?: .+?)+|(?:\n.+?)+))\](?:$|\n)/);
+        const match = currentLines.slice(0, closingMark + 3).match(/^\[glob (.+?(?:(?: [^ \n]+?)+|(?:\n.+?)+))\](?:$|\n)/);
         if (!match) return false;
 
         // Get the full strings

diff --git a/rules/embeds/glob.test.js b/rules/embeds/glob.test.js
@@ -1,5 +1,5 @@
 /*
-Copyright 2022 DigitalOcean
+Copyright 2024 DigitalOcean
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -68,6 +68,16 @@ it('handles glob embeds with linebreaks and spaces in glob', () => {
 `);
 });
 
+it('handles glob embeds with many spaces in glob and a linebreak (ReDos)', () => {
+    expect(md.render(`[glob ${Array.from('a'.repeat(50)).join(' ')}\nb\nc]`)).toBe(`<div data-glob-tool-embed data-glob-string="${Array.from('a'.repeat(50)).join(' ')}" data-glob-test-0="b" data-glob-test-1="c">
+    <a href="https://www.digitalocean.com/community/tools/glob?glob=${Array.from('a'.repeat(50)).join('+')}&tests=b&tests=c" target="_blank">
+        Explore <code>${Array.from('a'.repeat(50)).join(' ')}</code> as a glob string in our glob testing tool
+    </a>
+</div>
+<script async defer src="https://do-community.github.io/glob-tool-embed/bundle.js" type="text/javascript" onload="window.GlobToolEmbeds()"></script>
+`);
+});
+
 it('handles glob embeds with multiple linebreaks (no embed)', () => {
     expect(md.render('[glob *.js\n\n/a\n\n/b]')).toBe(`<p>[glob *.js</p>
 <p>/a</p>