Denial of Service in render method

jonschlinkert / remarkable

Markdown parser, done right. Commonmark support, extensions, syntax plugins, high speed - all in one. Gulp and metalsmith plugins available. Used by Facebook, Docusaurus and many others! Use https://github.com/breakdance/breakdance for HTML-to-markdown conversion. Use https://github.com/jonschlinkert/markdown-toc to generate a table of contents.

https://jonschlinkert.github.io/remarkable/demo/

MIT License

5.75k stars 373 forks source link

Denial of Service in render method #270

Open Sekhmet opened 7 years ago

Sekhmet commented 7 years ago

Following code causes Denial of Service (execution never finishes)

const Remarkable = require('remarkable');

const remarkable = new Remarkable({ html: true });

console.log(remarkable.render("\\t<!---<div style=\"                                      \"\n"));

Example comes from: https://steemit.com/steemit/@spaced/bug-report-i-found-a-js-dos

jonschlinkert commented 7 years ago

Thanks for the heads up. I'm assuming you're creating issues on all github repositories with this "bug"?

Sekhmet commented 7 years ago

Do you mind explaining what's wrong with that issue for you?

jonschlinkert commented 7 years ago

@Sekhmet where did I say something was wrong with the issue? Given how general that regex bug is, and that it can effect any HTML-related library that uses regular expressions that have a star-height of greater than 1, I just asked if you were going to be kind enough to let the rest of GitHub know about this issue. Or do you need me to explain that in more detail?

edit: and sorry, I didn't mean to sound snarky. I am going to fix the bug, my only point is that this is a problem with regex in general (truly). Someone could sit there and create contrived regular expressions all day that cause potentially catastrophic backtracking. It's easy to check for a star height of 1, but not easy to check for a regex that will actually catastrophically backtrack, so it's hard to say what's a positive versus false-positive.

Sekhmet commented 7 years ago

Sorry. I got confused by the fact that you written bug in quotes, thought that you mean that it's not considered bug and I'm somehow overusing it and spamming other repos with it.

jonschlinkert commented 7 years ago

oh... actually I think someone created a lib for this

edit: safe-regex might be usable for this, but it does check for a star height of 1, which is what I was saying would return false positives sometimes. still, since this is only one example of a problematic regex, safe-regex seems worth looking into for this. Maybe we can expose an option to enable it for when remarkable is implemented in another app. I'll do some testing locally.

(also I see what you mean about "bug" being in quotes. I don't know why I did that)