From 0572517d400d0f46744c6ad236bec2d11f94b0a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Moreno?= Date: Mon, 26 Jun 2023 13:36:45 +0000 Subject: [PATCH] fix: better handling of whitespace (back-port to v5) --- package.json | 2 +- semver.js | 65 ++++++++++++++++++++++++++++++---------------- test/re.js | 14 ++++++++++ test/whitespace.js | 43 ++++++++++++++++++++++++++++++ 4 files changed, 100 insertions(+), 24 deletions(-) create mode 100644 test/re.js create mode 100644 test/whitespace.js diff --git a/package.json b/package.json index 69d2db16..c76058ab 100644 --- a/package.json +++ b/package.json @@ -23,6 +23,6 @@ "semver.js" ], "tap": { - "check-coverage": true + "timeout": 30 } } diff --git a/semver.js b/semver.js index d315d5d6..1ce87e77 100644 --- a/semver.js +++ b/semver.js @@ -28,9 +28,14 @@ var MAX_SAFE_COMPONENT_LENGTH = 16 // The actual regexps go on exports.re var re = exports.re = [] +var safeRe = exports.safeRe = [] var src = exports.src = [] var R = 0 +function makeSafeRe (value) { + return value.split('\\s*').join('\\s{0,1}').split('\\s+').join('\\s') +} + // The following Regular Expressions can be used for tokenizing, // validating, and parsing SemVer version strings. @@ -174,6 +179,7 @@ src[LONETILDE] = '(?:~>?)' var TILDETRIM = R++ src[TILDETRIM] = '(\\s*)' + src[LONETILDE] + '\\s+' re[TILDETRIM] = new RegExp(src[TILDETRIM], 'g') +safeRe[TILDETRIM] = new RegExp(makeSafeRe(src[TILDETRIM]), 'g') var tildeTrimReplace = '$1~' var TILDE = R++ @@ -189,6 +195,7 @@ src[LONECARET] = '(?:\\^)' var CARETTRIM = R++ src[CARETTRIM] = '(\\s*)' + src[LONECARET] + '\\s+' re[CARETTRIM] = new RegExp(src[CARETTRIM], 'g') +safeRe[CARETTRIM] = new RegExp(makeSafeRe(src[CARETTRIM]), 'g') var caretTrimReplace = '$1^' var CARET = R++ @@ -210,6 +217,7 @@ src[COMPARATORTRIM] = '(\\s*)' + src[GTLT] + // this one has to use the /g flag re[COMPARATORTRIM] = new RegExp(src[COMPARATORTRIM], 'g') +safeRe[COMPARATORTRIM] = new RegExp(makeSafeRe(src[COMPARATORTRIM]), 'g') var comparatorTrimReplace = '$1$2$3' // Something like `1.2.3 - 1.2.4` @@ -238,6 +246,14 @@ for (var i = 0; i < R; i++) { debug(i, src[i]) if (!re[i]) { re[i] = new RegExp(src[i]) + + // Replace all greedy whitespace to prevent regex dos issues. These regex are + // used internally via the safeRe object since all inputs in this library get + // normalized first to trim and collapse all extra whitespace. The original + // regexes are exported for userland consumption and lower level usage. A + // future breaking change could export the safer regex only with a note that + // all input should have extra whitespace removed. + safeRe[i] = new RegExp(src[i].split('\\s*').join('\\s{0,1}').split('\\s+').join('\\s')) } } @@ -262,7 +278,7 @@ function parse (version, options) { return null } - var r = options.loose ? re[LOOSE] : re[FULL] + var r = options.loose ? safeRe[LOOSE] : safeRe[FULL] if (!r.test(version)) { return null } @@ -317,7 +333,7 @@ function SemVer (version, options) { this.options = options this.loose = !!options.loose - var m = version.trim().match(options.loose ? re[LOOSE] : re[FULL]) + var m = version.trim().match(options.loose ? safeRe[LOOSE] : safeRe[FULL]) if (!m) { throw new TypeError('Invalid Version: ' + version) @@ -731,6 +747,7 @@ function Comparator (comp, options) { return new Comparator(comp, options) } + comp = comp.trim().split(/\s+/).join(' ') debug('comparator', comp, options) this.options = options this.loose = !!options.loose @@ -747,7 +764,7 @@ function Comparator (comp, options) { var ANY = {} Comparator.prototype.parse = function (comp) { - var r = this.options.loose ? re[COMPARATORLOOSE] : re[COMPARATOR] + var r = this.options.loose ? safeRe[COMPARATORLOOSE] : safeRe[COMPARATOR] var m = comp.match(r) if (!m) { @@ -861,9 +878,16 @@ function Range (range, options) { this.loose = !!options.loose this.includePrerelease = !!options.includePrerelease - // First, split based on boolean or || + // First reduce all whitespace as much as possible so we do not have to rely + // on potentially slow regexes like \s*. This is then stored and used for + // future error messages as well. this.raw = range - this.set = range.split(/\s*\|\|\s*/).map(function (range) { + .trim() + .split(/\s+/) + .join(' ') + + // First, split based on boolean or || + this.set = this.raw.split('||').map(function (range) { return this.parseRange(range.trim()) }, this).filter(function (c) { // throw out any that are not relevant for whatever reason @@ -871,7 +895,7 @@ function Range (range, options) { }) if (!this.set.length) { - throw new TypeError('Invalid SemVer Range: ' + range) + throw new TypeError('Invalid SemVer Range: ' + this.raw) } this.format() @@ -890,28 +914,23 @@ Range.prototype.toString = function () { Range.prototype.parseRange = function (range) { var loose = this.options.loose - range = range.trim() // `1.2.3 - 1.2.4` => `>=1.2.3 <=1.2.4` - var hr = loose ? re[HYPHENRANGELOOSE] : re[HYPHENRANGE] + var hr = loose ? safeRe[HYPHENRANGELOOSE] : safeRe[HYPHENRANGE] range = range.replace(hr, hyphenReplace) debug('hyphen replace', range) // `> 1.2.3 < 1.2.5` => `>1.2.3 <1.2.5` - range = range.replace(re[COMPARATORTRIM], comparatorTrimReplace) - debug('comparator trim', range, re[COMPARATORTRIM]) + range = range.replace(safeRe[COMPARATORTRIM], comparatorTrimReplace) + debug('comparator trim', range, safeRe[COMPARATORTRIM]) // `~ 1.2.3` => `~1.2.3` - range = range.replace(re[TILDETRIM], tildeTrimReplace) + range = range.replace(safeRe[TILDETRIM], tildeTrimReplace) // `^ 1.2.3` => `^1.2.3` - range = range.replace(re[CARETTRIM], caretTrimReplace) - - // normalize spaces - range = range.split(/\s+/).join(' ') + range = range.replace(safeRe[CARETTRIM], caretTrimReplace) // At this point, the range is completely trimmed and // ready to be split into comparators. - - var compRe = loose ? re[COMPARATORLOOSE] : re[COMPARATOR] + var compRe = loose ? safeRe[COMPARATORLOOSE] : safeRe[COMPARATOR] var set = range.split(' ').map(function (comp) { return parseComparator(comp, this.options) }, this).join(' ').split(/\s+/) @@ -987,7 +1006,7 @@ function replaceTildes (comp, options) { } function replaceTilde (comp, options) { - var r = options.loose ? re[TILDELOOSE] : re[TILDE] + var r = options.loose ? safeRe[TILDELOOSE] : safeRe[TILDE] return comp.replace(r, function (_, M, m, p, pr) { debug('tilde', comp, _, M, m, p, pr) var ret @@ -1028,7 +1047,7 @@ function replaceCarets (comp, options) { function replaceCaret (comp, options) { debug('caret', comp, options) - var r = options.loose ? re[CARETLOOSE] : re[CARET] + var r = options.loose ? safeRe[CARETLOOSE] : safeRe[CARET] return comp.replace(r, function (_, M, m, p, pr) { debug('caret', comp, _, M, m, p, pr) var ret @@ -1087,7 +1106,7 @@ function replaceXRanges (comp, options) { function replaceXRange (comp, options) { comp = comp.trim() - var r = options.loose ? re[XRANGELOOSE] : re[XRANGE] + var r = options.loose ? safeRe[XRANGELOOSE] : safeRe[XRANGE] return comp.replace(r, function (ret, gtlt, M, m, p, pr) { debug('xRange', comp, ret, gtlt, M, m, p, pr) var xM = isX(M) @@ -1157,10 +1176,10 @@ function replaceXRange (comp, options) { function replaceStars (comp, options) { debug('replaceStars', comp, options) // Looseness is ignored here. star is always as loose as it gets! - return comp.trim().replace(re[STAR], '') + return comp.trim().replace(safeRe[STAR], '') } -// This function is passed to string.replace(re[HYPHENRANGE]) +// This function is passed to string.replace(safeRe[HYPHENRANGE]) // M, m, patch, prerelease, build // 1.2 - 3.4.5 => >=1.2.0 <=3.4.5 // 1.2.3 - 3.4 => >=1.2.0 <3.5.0 Any 3.4.x will do @@ -1471,7 +1490,7 @@ function coerce (version) { return null } - var match = version.match(re[COERCE]) + var match = version.match(safeRe[COERCE]) if (match == null) { return null diff --git a/test/re.js b/test/re.js new file mode 100644 index 00000000..8943e503 --- /dev/null +++ b/test/re.js @@ -0,0 +1,14 @@ +var test = require('tap').test +var semver = require('../') + +test('has a list of src, re, and safeRe', function (t) { + semver.re.forEach(function (r) { return t.match(r, RegExp, 'regexps are regexps') }) + semver.src.forEach(function (s) { return t.match(s, String, 'src is strings') }) + + semver.safeRe.forEach(function (r) { + t.notMatch(r.source, '\\s+', 'safe regex do not contain greedy whitespace') + t.notMatch(r.source, '\\s*', 'safe regex do not contain greedy whitespace') + }) + + t.end() +}) diff --git a/test/whitespace.js b/test/whitespace.js new file mode 100644 index 00000000..cfc26ee3 --- /dev/null +++ b/test/whitespace.js @@ -0,0 +1,43 @@ +var test = require('tap').test +var semver = require('../') + +var validRange = semver.validRange +var SemVer = semver.SemVer +var Range = semver.Range +var Comparator = semver.Comparator +var minVersion = semver.minVersion +var minSatisfying = semver.minSatisfying +var maxSatisfying = semver.maxSatisfying + +function s(n) { + return ' '.repeat(n || 500000) +} + +test('regex dos via range whitespace', function (t) { + // a range with this much whitespace would take a few minutes to process if + // any redos susceptible regexes were used. there is a global tap timeout per + // file set in the package.json that will error if this test takes too long. + var r = `1.2.3 ${s()} <1.3.0` + + t.equal(new Range(r).range, '1.2.3 <1.3.0') + t.equal(validRange(r), '1.2.3 <1.3.0') + t.equal(minVersion(r).version, '1.2.3') + t.equal(minSatisfying(['1.2.3'], r), '1.2.3') + t.equal(maxSatisfying(['1.2.3'], r), '1.2.3') + + t.end() +}) + +test('semver version', function (t) { + var v = `${s(125)}1.2.3${s(125)}` + var tooLong = `${s()}1.2.3${s()}` + t.equal(new SemVer(v).version, '1.2.3') + t.throws(function () { return new SemVer(tooLong) }) + t.end() +}) + +test('comparator', function (t) { + var c = `${s()}<${s()}1.2.3${s()}` + t.equal(new Comparator(c).value, '<1.2.3') + t.end() +})