search

microsoft / language-server-protocol

Defines a common protocol for language servers.
https://microsoft.github.io/language-server-protocol/
Creative Commons Attribution 4.0 International
11.22k stars 797 forks source link

Support for these complex snippets should be a capability #1137

Open dbaeumer opened 3 years ago

dbaeumer commented 3 years ago

Also, support for these complex snippets should be a capability. It seems that as soon as you declare support for snippets, you're binding yourself to implementing a potentially changing snippet specification.

Or at least, version the specification of snippets maybe ?

For example, in Vim there's no way to support JavaScript regexes without writing a JavaScript to Vim regex compiler

See https://github.com/microsoft/language-server-protocol/issues/363

hauleth commented 3 years ago

It is also important, that many JS-compatible regex engines uses "plain NFA" wich can result with "regex of doom", example:

> console.time("regex"); /(a*)*b/.test((Array(20).fill("a").join(''))); console.timeEnd("regex");
regex: 34.394ms
undefined
> console.time("regex"); /(a*)*b/.test((Array(21).fill("a").join(''))); console.timeEnd("regex");
regex: 63.107ms
undefined
> console.time("regex"); /(a*)*b/.test((Array(22).fill("a").join(''))); console.timeEnd("regex");
regex: 114.081ms
undefined
> console.time("regex"); /(a*)*b/.test((Array(25).fill("a").join(''))); console.timeEnd("regex");
regex: 814.702ms
undefined

As you can see, with pretty innocent regex and pretty innocent string we can show exponential times of executing the regex. This can result with DoS from the untrusted LS.