Fix ReDos Varnurablity in codemirror library

zolagonano · canewsin · commit 689d9309f733 · 2023-07-12T00:58:03.000+05:30
diff --git a/UiFileManager/media/codemirror/all.js b/UiFileManager/media/codemirror/all.js
@@ -17366,7 +17366,12 @@ CodeMirror.defineMode("javascript", function(config, parserConfig) {
           var kw = keywords[word]
           return ret(kw.type, kw.style, word)
         }
-        if (word == "async" && stream.match(/^(\s|\/\*.*?\*\/)*[\[\(\w]/, false))
+        
+        // vulnerable code: https://security.snyk.io/vuln/SNYK-JS-CODEMIRROR-1016937
+        // if (word == "async" && stream.match(/^(\s|\/\*.*?\*\/)*[\[\(\w]/, false))
+
+        // Fix: https://github.com/codemirror/codemirror5/blob/a0854c752a76e4ba9512a9beedb9076f36e4f8f9/mode/javascript/javascript.js#L130C36-L130C36
+        if (word == "async" && stream.match(/^(\s|\/\*([^*]|\*(?!\/))*?\*\/)*[\[\(\w]/, false))
           return ret("async", "keyword", word)
       }
       return ret("variable", "variable", word)
diff --git a/UiFileManager/media/codemirror/mode/javascript.js b/UiFileManager/media/codemirror/mode/javascript.js
@@ -126,7 +126,11 @@ CodeMirror.defineMode("javascript", function(config, parserConfig) {
           var kw = keywords[word]
           return ret(kw.type, kw.style, word)
         }
-        if (word == "async" && stream.match(/^(\s|\/\*.*?\*\/)*[\[\(\w]/, false))
+        // vulnerable code: https://security.snyk.io/vuln/SNYK-JS-CODEMIRROR-1016937
+        //if (word == "async" && stream.match(/^(\s|\/\*.*?\*\/)*[\[\(\w]/, false))
+        
+        // Fix: https://github.com/codemirror/codemirror5/blob/a0854c752a76e4ba9512a9beedb9076f36e4f8f9/mode/javascript/javascript.js#L130C36-L130C36
+        if (word == "async" && stream.match(/^(\s|\/\*([^*]|\*(?!\/))*?\*\/)*[\[\(\w]/, false))
           return ret("async", "keyword", word)
       }
       return ret("variable", "variable", word)

Original file line number	Diff line number	Diff line change
`@@ -17366,7 +17366,12 @@ CodeMirror.defineMode("javascript", function(config, parserConfig) {`
`17366`	`17366`	`var kw = keywords[word]`
`17367`	`17367`	`return ret(kw.type, kw.style, word)`
`17368`	`17368`	`}`
`17369`		`- if (word == "async" && stream.match(/^(\s\|\/\.?\\/)[\[\(\w]/, false))`
	`17369`	`+`
	`17370`	`+ // vulnerable code: https://security.snyk.io/vuln/SNYK-JS-CODEMIRROR-1016937`
	`17371`	`+ // if (word == "async" && stream.match(/^(\s\|\/\.?\\/)[\[\(\w]/, false))`
	`17372`	`+`
	`17373`	`+ // Fix: https://github.com/codemirror/codemirror5/blob/a0854c752a76e4ba9512a9beedb9076f36e4f8f9/mode/javascript/javascript.js#L130C36-L130C36`
	`17374`	`+ if (word == "async" && stream.match(/^(\s\|\/\([^]\|\(?!\/))?\\/)[\[\(\w]/, false))`
`17370`	`17375`	`return ret("async", "keyword", word)`
`17371`	`17376`	`}`
`17372`	`17377`	`return ret("variable", "variable", word)`
Original file line number	Diff line number	Diff line change
`@@ -126,7 +126,11 @@ CodeMirror.defineMode("javascript", function(config, parserConfig) {`
`126`	`126`	`var kw = keywords[word]`
`127`	`127`	`return ret(kw.type, kw.style, word)`
`128`	`128`	`}`
`129`		`- if (word == "async" && stream.match(/^(\s\|\/\.?\\/)[\[\(\w]/, false))`
	`129`	`+ // vulnerable code: https://security.snyk.io/vuln/SNYK-JS-CODEMIRROR-1016937`
	`130`	`+ //if (word == "async" && stream.match(/^(\s\|\/\.?\\/)[\[\(\w]/, false))`
	`131`	`+`
	`132`	`+ // Fix: https://github.com/codemirror/codemirror5/blob/a0854c752a76e4ba9512a9beedb9076f36e4f8f9/mode/javascript/javascript.js#L130C36-L130C36`
	`133`	`+ if (word == "async" && stream.match(/^(\s\|\/\([^]\|\(?!\/))?\\/)[\[\(\w]/, false))`
`130`	`134`	`return ret("async", "keyword", word)`
`131`	`135`	`}`
`132`	`136`	`return ret("variable", "variable", word)`