Fix ReDoS (#593)

yetingli · web-flow · commit bd1e9e01c95c · 2021-04-22T08:37:48.000-04:00
Fix 6 ReDoS-vulnerable regexes with pattern `\d*\.?\d+`.
Fix strategy: Replace  `\d*\.?\d+` with  `(d+|\d*\.\d+)`
diff --git a/index.js b/index.js
@@ -799,7 +799,7 @@ var QUERIES = [
     select: sinceQuery
   },
   {
-    regexp: /^(>=?|<=?)\s*(\d*\.?\d+)%$/,
+    regexp: /^(>=?|<=?)\s*(d+|\d*\.\d+)%$/,
     select: function (context, sign, popularity) {
       popularity = parseFloat(popularity)
       var usage = browserslist.usage.global
@@ -824,7 +824,7 @@ var QUERIES = [
     }
   },
   {
-    regexp: /^(>=?|<=?)\s*(\d*\.?\d+)%\s+in\s+my\s+stats$/,
+    regexp: /^(>=?|<=?)\s*(d+|\d*\.\d+)%\s+in\s+my\s+stats$/,
     select: function (context, sign, popularity) {
       popularity = parseFloat(popularity)
       if (!context.customUsage) {
@@ -852,7 +852,7 @@ var QUERIES = [
     }
   },
   {
-    regexp: /^(>=?|<=?)\s*(\d*\.?\d+)%\s+in\s+(\S+)\s+stats$/,
+    regexp: /^(>=?|<=?)\s*(d+|\d*\.\d+)%\s+in\s+(\S+)\s+stats$/,
     select: function (context, sign, popularity, name) {
       popularity = parseFloat(popularity)
       var stats = env.loadStat(context, name, browserslist.data)
@@ -887,7 +887,7 @@ var QUERIES = [
     }
   },
   {
-    regexp: /^(>=?|<=?)\s*(\d*\.?\d+)%\s+in\s+((alt-)?\w\w)$/,
+    regexp: /^(>=?|<=?)\s*(d+|\d*\.\d+)%\s+in\s+((alt-)?\w\w)$/,
     select: function (context, sign, popularity, place) {
       popularity = parseFloat(popularity)
       if (place.length === 2) {
@@ -918,11 +918,11 @@ var QUERIES = [
     }
   },
   {
-    regexp: /^cover\s+(\d*\.?\d+)%$/,
+    regexp: /^cover\s+(d+|\d*\.\d+)%$/,
     select: coverQuery
   },
   {
-    regexp: /^cover\s+(\d*\.?\d+)%\s+in\s+(my\s+stats|(alt-)?\w\w)$/,
+    regexp: /^cover\s+(d+|\d*\.\d+)%\s+in\s+(my\s+stats|(alt-)?\w\w)$/,
     select: coverQuery
   },
   {

Original file line number	Diff line number	Diff line change
`@@ -799,7 +799,7 @@ var QUERIES = [`
`799`	`799`	`select: sinceQuery`
`800`	`800`	`},`
`801`	`801`	`{`
`802`		`- regexp: /^(>=?\|<=?)\s(\d\.?\d+)%$/,`
	`802`	`+ regexp: /^(>=?\|<=?)\s(d+\|\d\.\d+)%$/,`
`803`	`803`	`select: function (context, sign, popularity) {`
`804`	`804`	`popularity = parseFloat(popularity)`
`805`	`805`	`var usage = browserslist.usage.global`
`@@ -824,7 +824,7 @@ var QUERIES = [`
`824`	`824`	`}`
`825`	`825`	`},`
`826`	`826`	`{`
`827`		`- regexp: /^(>=?\|<=?)\s(\d\.?\d+)%\s+in\s+my\s+stats$/,`
	`827`	`+ regexp: /^(>=?\|<=?)\s(d+\|\d\.\d+)%\s+in\s+my\s+stats$/,`
`828`	`828`	`select: function (context, sign, popularity) {`
`829`	`829`	`popularity = parseFloat(popularity)`
`830`	`830`	`if (!context.customUsage) {`
`@@ -852,7 +852,7 @@ var QUERIES = [`
`852`	`852`	`}`
`853`	`853`	`},`
`854`	`854`	`{`
`855`		`- regexp: /^(>=?\|<=?)\s(\d\.?\d+)%\s+in\s+(\S+)\s+stats$/,`
	`855`	`+ regexp: /^(>=?\|<=?)\s(d+\|\d\.\d+)%\s+in\s+(\S+)\s+stats$/,`
`856`	`856`	`select: function (context, sign, popularity, name) {`
`857`	`857`	`popularity = parseFloat(popularity)`
`858`	`858`	`var stats = env.loadStat(context, name, browserslist.data)`
`@@ -887,7 +887,7 @@ var QUERIES = [`
`887`	`887`	`}`
`888`	`888`	`},`
`889`	`889`	`{`
`890`		`- regexp: /^(>=?\|<=?)\s(\d\.?\d+)%\s+in\s+((alt-)?\w\w)$/,`
	`890`	`+ regexp: /^(>=?\|<=?)\s(d+\|\d\.\d+)%\s+in\s+((alt-)?\w\w)$/,`
`891`	`891`	`select: function (context, sign, popularity, place) {`
`892`	`892`	`popularity = parseFloat(popularity)`
`893`	`893`	`if (place.length === 2) {`
`@@ -918,11 +918,11 @@ var QUERIES = [`
`918`	`918`	`}`
`919`	`919`	`},`
`920`	`920`	`{`
`921`		`- regexp: /^cover\s+(\d*\.?\d+)%$/,`
	`921`	`+ regexp: /^cover\s+(d+\|\d*\.\d+)%$/,`
`922`	`922`	`select: coverQuery`
`923`	`923`	`},`
`924`	`924`	`{`
`925`		`- regexp: /^cover\s+(\d*\.?\d+)%\s+in\s+(my\s+stats\|(alt-)?\w\w)$/,`
	`925`	`+ regexp: /^cover\s+(d+\|\d*\.\d+)%\s+in\s+(my\s+stats\|(alt-)?\w\w)$/,`
`926`	`926`	`select: coverQuery`
`927`	`927`	`},`
`928`	`928`	`{`