Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
fix(validators): update the url validator, to reduce potential ReDos …
…attacks (#933)
  • Loading branch information
dobromir-hristov committed Sep 10, 2021
1 parent 2cd1fbb commit 1f0ca31
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 11 deletions.
20 changes: 10 additions & 10 deletions packages/validators/src/raw/__tests__/url.spec.js
Expand Up @@ -10,6 +10,11 @@ describe('url validator', () => {
'HTTP://FOO.COM/BLAH_BLAH',
'HTTP://FOO.COM/blah_blah',
'http://foo.com/blah_blah/',
/** domains ending with a dot at the end are valid, {@see http://www.dns-sd.org/trailingdotsindomainnames.html} */
'http://www.foo.bar./',
'http://www.foo.bar.',
'http://foo.bar.',
'http://foo.bar./',
'http://foo.com/blah_blah_(wikipedia)',
'http://foo.com/blah_blah_(wikipedia)_(again)',
'http://www.example.com/wpstyle/?p=364',
Expand Down Expand Up @@ -40,7 +45,7 @@ describe('url validator', () => {
'http://مثال.إختبار',
'http://例子.测试',
'http://उदाहरण.परीक्षा',
"http://-.~_!$&'()*+,;=:%40:80%2f::::::@example.com",
'http://-.~_!$&\'()*+,;=:%40:80%2f::::::@example.com',
'http://1337.net',
'http://a.b-c.de',
'http://223.255.255.254'
Expand Down Expand Up @@ -80,21 +85,16 @@ describe('url validator', () => {
'http://123.123.123',
'http://3628126748',
'http://.www.foo.bar/',
'http://www.foo.bar./',
'http://.www.foo.bar./',
'http://10.1.1.1',
'http://10.1.1.254'
]

correctUrls.forEach((urlString) => {
it(`should validate correct url ${urlString}`, () => {
expect(url(urlString)).toBe(true)
})
it.each(correctUrls)('should validate correct url %s', (urlString) => {
expect(url(urlString)).toBe(true)
})

incorrectUrls.forEach((urlString) => {
it(`should not validate incorrect url ${urlString}`, () => {
expect(url(urlString)).toBe(false)
})
it.each(incorrectUrls)('should not validate incorrect url %s', (urlString) => {
expect(url(urlString)).toBe(false)
})
})
5 changes: 4 additions & 1 deletion packages/validators/src/raw/url.js
@@ -1,5 +1,8 @@
import { regex } from '../common'

const urlRegex = /^(?:(?:https?|ftp):\/\/)(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\u00a1-\uffff0-9]-*)*[a-z\u00a1-\uffff0-9]+)(?:\.(?:[a-z\u00a1-\uffff0-9]-*)*[a-z\u00a1-\uffff0-9]+)*(?:\.(?:[a-z\u00a1-\uffff]{2,})))(?::\d{2,5})?(?:[/?#]\S*)?$/i
/**
* Regex taken from {@link https://gist.github.com/dperini/729294}
*/
const urlRegex = /^(?:(?:(?:https?|ftp):)?\/\/)(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u00a1-\uffff][a-z0-9\u00a1-\uffff_-]{0,62})?[a-z0-9\u00a1-\uffff]\.)+(?:[a-z\u00a1-\uffff]{2,}\.?))(?::\d{2,5})?(?:[/?#]\S*)?$/i

export default regex(urlRegex)

0 comments on commit 1f0ca31

Please sign in to comment.