search

yo35 / kokopu

A JavaScript/TypeScript library implementing the chess game rules and providing tools to read/write the standard chess file formats.
https://www.npmjs.com/package/kokopu
GNU Lesser General Public License v3.0
27 stars 5 forks source link

PGN parsing fixes #30

Closed mbutsykin closed 2 years ago

mbutsykin commented 2 years ago
yo35 commented 2 years ago

Thanks for the fixes. I'll add your name to the list of contributors, and I will issue a new version of the lib this afternoon.

mbutsykin commented 2 years ago

Thanks for fast feedback!

yo35 commented 2 years ago

By the way, I suspected that there could be a ReDoS vulnerability due to your change on the regex _commentMode, and it appears to be the case. If you try to parse the following PGN:

[Event "ReDoS using comment"]

1. e4 {Evil unterminated comment with lots of backslashes \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

... you'll see that it takes several seconds (and in fact the runtime doubles with each new backslash). I've fixed that in https://github.com/yo35/kokopu/commit/ce236369a636bb10a731ff7a0d4dfad2a11b8409

Regular expressions are sneaky guys! ;-)

mbutsykin commented 2 years ago

Wow. nice catch) good job!