Fix ReDoS vulnerability

sindresorhus · sindresorhus · commit 01f8a087fab8 · 2021-03-11T16:43:07.000+07:00
diff --git a/index.js b/index.js
@@ -21,9 +21,17 @@ const cleanEntities = svg => {
 	return svg.replace(entityRegex, '');
 };
 
-const regex = /^\s*(?:<\?xml[^>]*>\s*)?(?:<!doctype svg[^>]*\s*(?:\[?(?:\s*<![^>]*>\s*)*\]?)*[^>]*>\s*)?(?:<svg[^>]*>[^]*<\/svg>|<svg[^/>]*\/\s*>)\s*$/i;
+const removeDtdMarkupDeclarations = svg => svg.replace(/\[?(?:\s*<![A-Z]+[^>]*>\s*)*\]?/g, '');
 
-const isSvg = input => Boolean(input) && !isBinary(input) && regex.test(cleanEntities(input.toString()).replace(htmlCommentRegex, ''));
+const clean = svg => {
+	svg = cleanEntities(svg);
+	svg = removeDtdMarkupDeclarations(svg);
+	return svg;
+};
+
+const regex = /^\s*(?:<\?xml[^>]*>\s*)?(?:<!doctype svg[^>]*>\s*)?(?:<svg[^>]*>[^]*<\/svg>|<svg[^/>]*\/\s*>)\s*$/i;
+
+const isSvg = input => Boolean(input) && !isBinary(input) && regex.test(clean(input.toString()).replace(htmlCommentRegex, ''));
 
 module.exports = isSvg;
 // TODO: Remove this for the next major release
diff --git a/package.json b/package.json
@@ -42,6 +42,7 @@
 	"devDependencies": {
 		"@types/node": "^11.13.0",
 		"ava": "^1.4.1",
+		"time-span": "^4.0.0",
 		"tsd": "^0.7.2",
 		"xo": "^0.24.0"
 	}
diff --git a/test.js b/test.js
@@ -1,5 +1,6 @@
 import fs from 'fs';
 import test from 'ava';
+import timeSpan from 'time-span';
 import isSvg from '.';
 
 test('valid SVGs', t => {
@@ -70,3 +71,15 @@ test('support markup inside Entity tags', t => {
  		</g>
 	</svg>`));
 });
+
+test('regex should not be quadratic', t => {
+	const end = timeSpan();
+
+	isSvg(`<!doctype svg ${' '.repeat(34560)}`);
+
+	if (end.seconds() < 10) {
+		t.pass();
+	} else {
+		t.fail();
+	}
+});

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,7 @@`
`42`	`42`	`"devDependencies": {`
`43`	`43`	`"@types/node": "^11.13.0",`
`44`	`44`	`"ava": "^1.4.1",`
	`45`	`+ "time-span": "^4.0.0",`
`45`	`46`	`"tsd": "^0.7.2",`
`46`	`47`	`"xo": "^0.24.0"`
`47`	`48`	`}`