Strikethrough: fix exponential backtracking

A long sequence of backslashes inside a strikethrough could confuse the strikethrough regex into exponential backtracking, causing a potential ReDoS vulnerability. This commit updates the strikethrough regex to only accept a backslash if it is preceding an escaped character, as other rules handle backslashes. Updates to version 0.7.3 to publish this fix. Thanks to @pwntester and the [GitHub Security Lab team](https://securitylab.github.com/) for finding this vulnerability! Test plan: 1. `make test` * verify the new strikethrough backtracking test passes * verify all the prior tests pass
ariabuckles · Jan 8, 2021 · f5bfed6 · f5bfed6
1 parent d3780d4
commit f5bfed6
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 5 deletions.
diff --git a/__tests__/simple-markdown-test.js b/__tests__/simple-markdown-test.js
@@ -4414,5 +4414,15 @@ describe("simple markdown", function() {
             var duration = Date.now() - startTime;
             assert.ok(duration < 10, "Expected parsing to finish in <10ms, but was " + duration + "ms.");
         });
+
+        it("should parse long strikethroughs with lots of backslasher quickly", function() {
+            var source = "~~\\}\\}\\}\\}\\}\\}\\}\\}\\}\\}\\}\\}\\}\\}\\}\\}\\}\\}\\}" +
+                "\\}\\}\\}\\}\\}\\}\\}\\}\\\\}\\}\\}\\}\\}\\}\\}}\\}\\}\\}\\}\\}\\}}~";
+
+            var startTime = Date.now();
+            var parsed = blockParse(source);
+            var duration = Date.now() - startTime;
+            assert.ok(duration < 10, "Expected parsing to finish in <10ms, but was " + duration + "ms.");
+        });
     });
 });
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "simple-markdown",
-  "version": "0.7.2",
+  "version": "0.7.3",
   "description": "Javascript markdown parsing, made simple",
   "main": "simple-markdown.js",
   "types": "simple-markdown.d.ts",

diff --git a/simple-markdown.js b/simple-markdown.js
@@ -1700,7 +1700,7 @@ var defaultRules /* : DefaultRules */ = {
     },
     del: {
         order: currOrder++,
-        match: inlineRegex(/^~~(?=\S)((?:\\[\s\S]|~(?!~)|[^\s~]|\s(?!~~))+?)~~/),
+        match: inlineRegex(/^~~(?=\S)((?:\\[\s\S]|~(?!~)|[^\s~\\]|\s(?!~~))+?)~~/),
         parse: parseCaptureInline,
         react: function(node, output, state) {
             return reactElement(

diff --git a/simple-markdown.min.js b/simple-markdown.min.js
diff --git a/src/index.js b/src/index.js
@@ -1698,7 +1698,7 @@ var defaultRules /* : DefaultRules */ = {
     },
     del: {
         order: currOrder++,
-        match: inlineRegex(/^~~(?=\S)((?:\\[\s\S]|~(?!~)|[^\s~]|\s(?!~~))+?)~~/),
+        match: inlineRegex(/^~~(?=\S)((?:\\[\s\S]|~(?!~)|[^\s~\\]|\s(?!~~))+?)~~/),
         parse: parseCaptureInline,
         react: function(node, output, state) {
             return reactElement(