Strikethrough: fix exponential backtracking

ariabuckles · ariabuckles · commit f5bfed64a68d · 2021-01-07T19:16:22.000-08:00
A long sequence of backslashes inside a strikethrough could confuse the strikethrough regex into exponential backtracking, causing a potential ReDoS vulnerability. This commit updates the strikethrough regex to only accept a backslash if it is preceding an escaped character, as other rules handle backslashes. Updates to version 0.7.3 to publish this fix. Thanks to @pwntester and the [GitHub Security Lab team](https://securitylab.github.com/) for finding this vulnerability! Test plan: 1. `make test` * verify the new strikethrough backtracking test passes * verify all the prior tests pass
diff --git a/__tests__/simple-markdown-test.js b/__tests__/simple-markdown-test.js
@@ -4414,5 +4414,15 @@ describe("simple markdown", function() {
             var duration = Date.now() - startTime;
             assert.ok(duration < 10, "Expected parsing to finish in <10ms, but was " + duration + "ms.");
         });
+
+        it("should parse long strikethroughs with lots of backslasher quickly", function() {
+            var source = "~~\\}\\}\\}\\}\\}\\}\\}\\}\\}\\}\\}\\}\\}\\}\\}\\}\\}\\}\\}" +
+                "\\}\\}\\}\\}\\}\\}\\}\\}\\\\}\\}\\}\\}\\}\\}\\}}\\}\\}\\}\\}\\}\\}}~";
+
+            var startTime = Date.now();
+            var parsed = blockParse(source);
+            var duration = Date.now() - startTime;
+            assert.ok(duration < 10, "Expected parsing to finish in <10ms, but was " + duration + "ms.");
+        });
     });
 });
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "simple-markdown",
-  "version": "0.7.2",
+  "version": "0.7.3",
   "description": "Javascript markdown parsing, made simple",
   "main": "simple-markdown.js",
   "types": "simple-markdown.d.ts",
diff --git a/simple-markdown.js b/simple-markdown.js
@@ -1700,7 +1700,7 @@ var defaultRules /* : DefaultRules */ = {
     },
     del: {
         order: currOrder++,
-        match: inlineRegex(/^~~(?=\S)((?:\\[\s\S]|~(?!~)|[^\s~]|\s(?!~~))+?)~~/),
+        match: inlineRegex(/^~~(?=\S)((?:\\[\s\S]|~(?!~)|[^\s~\\]|\s(?!~~))+?)~~/),
         parse: parseCaptureInline,
         react: function(node, output, state) {
             return reactElement(
diff --git a/simple-markdown.min.js b/simple-markdown.min.js
diff --git a/src/index.js b/src/index.js
@@ -1698,7 +1698,7 @@ var defaultRules /* : DefaultRules */ = {
     },
     del: {
         order: currOrder++,
-        match: inlineRegex(/^~~(?=\S)((?:\\[\s\S]|~(?!~)|[^\s~]|\s(?!~~))+?)~~/),
+        match: inlineRegex(/^~~(?=\S)((?:\\[\s\S]|~(?!~)|[^\s~\\]|\s(?!~~))+?)~~/),
         parse: parseCaptureInline,
         react: function(node, output, state) {
             return reactElement(

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "simple-markdown",`
`3`		`- "version": "0.7.2",`
	`3`	`+ "version": "0.7.3",`
`4`	`4`	`"description": "Javascript markdown parsing, made simple",`
`5`	`5`	`"main": "simple-markdown.js",`
`6`	`6`	`"types": "simple-markdown.d.ts",`