From d60d34f1b4698c4f8559c2df7b2b5642625454a5 Mon Sep 17 00:00:00 2001 From: Markus Gattol Date: Mon, 21 Mar 2022 21:55:52 +0100 Subject: [PATCH] security: new url regex disallow ReDos --- is-it-check.js | 2 +- test/test.js | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/is-it-check.js b/is-it-check.js index 89f1625..589f7fd 100644 --- a/is-it-check.js +++ b/is-it-check.js @@ -292,7 +292,7 @@ socialSecurityNumber: /^(?!000|666)[0-8][0-9]{2}-?(?!00)[0-9]{2}-?(?!0000)[0-9]{4}$/, timeString: /^(2[0-3]|[01]?[0-9]):([0-5]?[0-9]):([0-5]?[0-9])$/, ukPostCode: /^[A-Z]{1,2}[0-9RCHNQ][0-9A-Z]?\s?[0-9][ABD-HJLNP-UW-Z]{2}$|^[A-Z]{2}-?[0-9]{4}$/, - url: /^(?:(?:https?|ftp):\/\/)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\u00a1-\uffff0-9]-*)*[a-z\u00a1-\uffff0-9]+)(?:\.(?:[a-z\u00a1-\uffff0-9]-*)*[a-z\u00a1-\uffff0-9]+)*(?:\.(?:[a-z\u00a1-\uffff]{2,})))(?::\d{2,5})?(?:\/\S*)?$/i, + url: /https?:\/\/(www\.)?[-a-zA-Z0-9@:%._+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_+.~#?&//=]*)/i, usZipCode: /^[0-9]{5}(?:-[0-9]{4})?$/ } diff --git a/test/test.js b/test/test.js index da1a201..d1d6cb2 100644 --- a/test/test.js +++ b/test/test.js @@ -463,6 +463,9 @@ it('should return true if given value is url', () => { expect(is.url('http://www.test.com')).to.be.true }) + it('should return true if given value is url', () => { + expect(is.url('https://github.com/evdama/is-it-check/commit/74b01444421525d636dabb47d4e72b23fd58a152')).to.be.true + }) it('should return false if given value is not url', () => { expect(is.url(1)).to.be.false })