Fixes unsafe data URI regexes.

See https://huntr.dev/bounties/6937a4ed-e41f-4fff-8f9b-8bcbed0f616e/
clean-css · Oct 21, 2021 · 3721c60 · 3721c60
1 parent 8ce58bc
commit 3721c60
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 2 deletions.
diff --git a/History.md b/History.md
@@ -1,3 +1,8 @@
+[5.2.2 / 2021-xx-xx](https://github.com/clean-css/clean-css/compare/v5.2.1...5.2)
+==================
+
+* Fixed an unsafe data URI regex, which, when clean-css is used as a service, could be used in a DOS attack.
+
 [5.2.1 / 2021-09-30](https://github.com/clean-css/clean-css/compare/v5.2.0...v5.2.1)
 ==================
 

diff --git a/lib/reader/match-data-uri.js b/lib/reader/match-data-uri.js
@@ -1,4 +1,4 @@
-var DATA_URI_PATTERN = /^data:(\S*?)?(;charset=[^;]+)?(;[^,]+?)?,(.+)/;
+var DATA_URI_PATTERN = /^data:(\S*?)?(;charset=(?:(?!;charset=)[^;])+)?(;[^,]+?)?,(.+)/;
 
 function matchDataUri(uri) {
   return DATA_URI_PATTERN.exec(uri);

diff --git a/lib/utils/is-data-uri-resource.js b/lib/utils/is-data-uri-resource.js
@@ -1,4 +1,4 @@
-var DATA_URI_PATTERN = /^data:(\S*?)?(;charset=[^;]+)?(;[^,]+?)?,(.+)/;
+var DATA_URI_PATTERN = /^data:(\S*?)?(;charset=(?:(?!;charset=)[^;])+)?(;[^,]+?)?,(.+)/;
 
 function isDataUriResource(uri) {
   return DATA_URI_PATTERN.test(uri);