From 3721c6016ad9c204802392a327b122041cf6a251 Mon Sep 17 00:00:00 2001
From: Jakub Pawlowicz <contact@jakubpawlowicz.com>
Date: Thu, 21 Oct 2021 11:26:15 +0200
Subject: [PATCH] Fixes unsafe data URI regexes.

See https://huntr.dev/bounties/6937a4ed-e41f-4fff-8f9b-8bcbed0f616e/
---
 History.md                        | 5 +++++
 lib/reader/match-data-uri.js      | 2 +-
 lib/utils/is-data-uri-resource.js | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/History.md b/History.md
index 19bd5fe06..3bcb80b07 100644
--- a/History.md
+++ b/History.md
@@ -1,3 +1,8 @@
+[5.2.2 / 2021-xx-xx](https://github.com/clean-css/clean-css/compare/v5.2.1...5.2)
+==================
+
+* Fixed an unsafe data URI regex, which, when clean-css is used as a service, could be used in a DOS attack.
+
 [5.2.1 / 2021-09-30](https://github.com/clean-css/clean-css/compare/v5.2.0...v5.2.1)
 ==================
 
diff --git a/lib/reader/match-data-uri.js b/lib/reader/match-data-uri.js
index d0d5a4c74..0e321ea9f 100644
--- a/lib/reader/match-data-uri.js
+++ b/lib/reader/match-data-uri.js
@@ -1,4 +1,4 @@
-var DATA_URI_PATTERN = /^data:(\S*?)?(;charset=[^;]+)?(;[^,]+?)?,(.+)/;
+var DATA_URI_PATTERN = /^data:(\S*?)?(;charset=(?:(?!;charset=)[^;])+)?(;[^,]+?)?,(.+)/;
 
 function matchDataUri(uri) {
   return DATA_URI_PATTERN.exec(uri);
diff --git a/lib/utils/is-data-uri-resource.js b/lib/utils/is-data-uri-resource.js
index 58558110f..17c9e65fd 100644
--- a/lib/utils/is-data-uri-resource.js
+++ b/lib/utils/is-data-uri-resource.js
@@ -1,4 +1,4 @@
-var DATA_URI_PATTERN = /^data:(\S*?)?(;charset=[^;]+)?(;[^,]+?)?,(.+)/;
+var DATA_URI_PATTERN = /^data:(\S*?)?(;charset=(?:(?!;charset=)[^;])+)?(;[^,]+?)?,(.+)/;
 
 function isDataUriResource(uri) {
   return DATA_URI_PATTERN.test(uri);