Skip to content

[core] Fix ReDoS Vulnerability in commonFramework-*.js by Replacing Vulnerable Regex #701

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: dev
Choose a base branch
from
Open

[core] Fix ReDoS Vulnerability in commonFramework-*.js by Replacing Vulnerable Regex #701

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
71484e7
fix: eliminate ReDoS in bindings.js, add regression test, and script …
cecechen04 May 26, 2025
792d4c4
fix: eliminate ReDoS in bindings.js and add regression test
cecechen04 May 27, 2025
53e610a
更新了init.js文件
cecechen04 Jun 18, 2025
7b5a0d8
fix: patch ReDoS in <form[^>]*> regex (limit input or adjust pattern)
cecechen04 Jun 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 9 additions & 5 deletions client/commonFramework/bindings.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,11 @@ window.common = (function(global) {
};

common.init.push(function($) {
function stripTrailingHashes(url) {
let i = url.length - 1;
while (i >= 0 && url[i] === '#') i--;
return url.slice(0, i + 1);
}

var $marginFix = $('.innerMarginFix');
$marginFix.css('min-height', $marginFix.height());
Expand Down Expand Up @@ -179,10 +184,9 @@ window.common = (function(global) {
});

$('#search-issue').on('click', function() {
var queryIssue = window.location.href
.toString()
.split('?')[0]
.replace(/(#*)$/, '');
var queryIssue = stripTrailingHashes(
window.location.href.toString().split('?')[0]
);
window.open(
'https://github.com/freecodecampchina/freecodecamp.cn/issues?q=' +
'is:issue is:all ' +
Expand All @@ -196,4 +200,4 @@ window.common = (function(global) {
});

return common;
}(window));
}(window));
4 changes: 2 additions & 2 deletions client/commonFramework/init.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,13 +46,13 @@ window.common = (function(global) {
};

common.replaceFormActionAttr = function replaceFormAction(value) {
return value.replace(/<form[^>]*>/, function(val) {
return value.replace(/<form(?!<form)[^>]*>/, function(val) {
return val.replace(/action(\s*?)=/, 'fccfaa$1=');
});
};

common.replaceFccfaaAttr = function replaceFccfaaAttr(value) {
return value.replace(/<form[^>]*>/, function(val) {
return value.replace(/<form(?!<form)[^>]*>/, function(val) {
return val.replace(/fccfaa(\s*?)=/, 'action$1=');
});
};
Expand Down
3 changes: 2 additions & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,8 @@
"lint-json": "npm run lint-server && npm run lint-challenges && npm run lint-resources && npm run lint-utils",
"test-challenges": "babel-node seed/test-challenges.js | tap-spec",
"pretest": "npm run lint",
"test": "npm run test-challenges"
"test": "npm run test-challenges",
"test-redos": "mocha test/commonFramework/bindings.test.js"
},
"license": "(BSD-3-Clause AND CC-BY-SA-4.0)",
"dependencies": {
Expand Down
4 changes: 2 additions & 2 deletions public/js/commonFramework-2c9795240d.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,13 +51,13 @@ window.common = function(e) {
}
,
a.replaceFormActionAttr = function(e) {
return e.replace(/<form[^>]*>/, function(e) {
return e.replace(/<form(?!<form)[^>]*>/, function(e) {
return e.replace(/action(\s*?)=/, "fccfaa$1=")
})
}
,
a.replaceFccfaaAttr = function(e) {
return e.replace(/<form[^>]*>/, function(e) {
return e.replace(/<form(?!<form)[^>]*>/, function(e) {
return e.replace(/fccfaa(\s*?)=/, "action$1=")
})
}
Expand Down
45 changes: 45 additions & 0 deletions test/commonFramework/bindings.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
// test/bindings.test.js
const { expect } = require('chai');
const { performance } = require('perf_hooks');

// 安全替代函数
function stripTrailingHashes(url) {
let i = url.length - 1;
while (i >= 0 && url[i] === '#') i--;
return url.slice(0, i + 1);
}

// 模拟原版逻辑(用于对比测试)
function originalReplace(url) {
return url.replace(/#+$/, '');
}

describe('✅ stripTrailingHashes replacement test', function () {
this.timeout(10000); // 最多允许10秒运行

it('should match behavior of original regex for normal cases', () => {
const cases = [
["https://a.com/page#", "https://a.com/page"],
["https://a.com/page###", "https://a.com/page"],
["https://a.com/page#section", "https://a.com/page#section"],
["https://a.com/page#section#", "https://a.com/page#section"],
["https://a.com/page", "https://a.com/page"],
];

for (const [input, expected] of cases) {
expect(stripTrailingHashes(input)).to.equal(expected);
expect(stripTrailingHashes(input)).to.equal(originalReplace(input));
}
});

it('should not hang on malicious long string input', () => {
const attack = '#'.repeat(100000) + '@';
const testUrl = 'https://a.com/' + attack;
const t0 = performance.now();
const result = stripTrailingHashes(testUrl);
const t1 = performance.now();
const duration = (t1 - t0) / 1000;
console.log(`⏱️ safeReplace() 执行耗时:${duration.toFixed(3)} s`);
expect(duration).to.be.lessThan(1); // 应该非常快(毫秒级)
});
});