JoBoEVD/UglifyJS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avoid potential RegExp denial-of-service (#5135)

Browse Source 
closes #5133
closes #5134
This commit is contained in:
Alex Lam S.L
2021-09-29 18:49:46 +01:00
committed by GitHub
parent f766babf5e
commit 157521066f
4 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/compress.js
View File

@@ -11336,7 +11336,7 @@ merge(Compressor.prototype, {
function decode_template(str) { function decode_template(str) {
var malformed = false; var malformed = false;
str = str.replace(/\\(u\{[^}]*\}?|u[\s\S]{0,4}|x[\s\S]{0,2}|[0-9]+|[\s\S])/g, function(match, seq) { str = str.replace(/\\(u\{[^{}]*\}?|u[\s\S]{0,4}|x[\s\S]{0,2}|[0-9]+|[\s\S])/g, function(match, seq) {
var ch = decode_escape_sequence(seq); var ch = decode_escape_sequence(seq);
if (typeof ch == "string") return ch; if (typeof ch == "string") return ch;
malformed = true; malformed = true;

2
lib/utils.js
View File

@@ -143,7 +143,7 @@ function push_uniq(array, el) {
} }
function string_template(text, props) { function string_template(text, props) {
return text.replace(/\{([^}]+)\}/g, function(str, p) { return text.replace(/\{([^{}]+)\}/g, function(str, p) {
var value = props[p]; var value = props[p];
return value instanceof AST_Node ? value.print_to_string() : value; return value instanceof AST_Node ? value.print_to_string() : value;
}); });

6
test/sandbox.js
View File

@@ -28,7 +28,7 @@ exports.run_code = semver.satisfies(process.version, "0.8") ? function(code, top
if ([ if ([
/\basync[ \t]*\([\s\S]*?\)[ \t]*=>/, /\basync[ \t]*\([\s\S]*?\)[ \t]*=>/,
/\b(async[ \t]+function|Promise|setImmediate|setInterval|setTimeout)\b/, /\b(async[ \t]+function|Promise|setImmediate|setInterval|setTimeout)\b/,
/\basync([ \t]+|[ \t]*#|[ \t]*\*[ \t]*)[^\s()[\]{},.&|!~=*%/+-]+(\s*\(|[ \t]*=>)/, /\basync([ \t]+|[ \t]*#|[ \t]*\*[ \t]*)[^\s()[\]{}#,.&|!~=*%/+-]+(\s*\(|[ \t]*=>)/,
].some(function(pattern) { ].some(function(pattern) {
return pattern.test(code); return pattern.test(code);
})) { })) {
@@ -51,13 +51,13 @@ exports.same_stdout = semver.satisfies(process.version, "0.12") ? function(expec
}; };
exports.patch_module_statements = function(code) { exports.patch_module_statements = function(code) {
var count = 0, imports = []; var count = 0, imports = [];
code = code.replace(/\bexport(?:\s*\{[^}]*}\s*?(?:$|\n|;)|\s+default\b(?:\s*(\(|\{|class\s*\{|class\s+(?=extends\b)|(?:async\s+)?function\s*(?:\*\s*)?\())?|\b)/g, function(match, header) { code = code.replace(/\bexport(?:\s*\{[^{}]*}\s*?(?:$|\n|;)|\s+default\b(?:\s*(\(|\{|class\s*\{|class\s+(?=extends\b)|(?:async\s+)?function\s*(?:\*\s*)?\())?|\b)/g, function(match, header) {
if (!header) return ""; if (!header) return "";
if (header.length == 1) return "0, " + header; if (header.length == 1) return "0, " + header;
return header.slice(0, -1) + " _" + ++count + header.slice(-1); return header.slice(0, -1) + " _" + ++count + header.slice(-1);
}).replace(/\bimport\.meta\b/g, function() { }).replace(/\bimport\.meta\b/g, function() {
return '({ url: "https://example.com/path/index.html" })'; return '({ url: "https://example.com/path/index.html" })';
}).replace(/\bimport\b(?:\s*([^('"]+)\bfrom\b)?\s*(['"]).*?\2(?:$|\n|;)/g, function(match, symbols) { }).replace(/\bimport\b(?:\s*([^\s('"][^('"]*)\bfrom\b)?\s*(['"]).*?\2(?:$|\n|;)/g, function(match, symbols) {
if (symbols) { if (symbols) {
if (!/^[{*]/.test(symbols)) symbols = "default:" + symbols; if (!/^[{*]/.test(symbols)) symbols = "default:" + symbols;
symbols = symbols.replace(/[{}]/g, "").trim().replace(/\s*,\s*/g, ","); symbols = symbols.replace(/[{}]/g, "").trim().replace(/\s*,\s*/g, ",");

2
test/ufuzz/index.js
View File

@@ -2350,7 +2350,7 @@ function patch_try_catch(orig, toplevel) {
tries: [], tries: [],
} ]; } ];
var tail_throw = '\nif (typeof UFUZZ_ERROR == "object") throw UFUZZ_ERROR;\n'; var tail_throw = '\nif (typeof UFUZZ_ERROR == "object") throw UFUZZ_ERROR;\n';
var re = /(?:(?:^|[\s{}):;])try|}\s*catch\s*\(([^)[{]+)\)|}\s*finally)\s*(?={)/g; var re = /(?:(?:^|[\s{}):;])try|}\s*catch\s*\(([^()[{]+)\)|}\s*finally)\s*(?={)/g;
while (stack.length) { while (stack.length) {
var code = stack[0].code; var code = stack[0].code;
var offset = stack[0].offset; var offset = stack[0].offset;