fix: ReDoS referrer (#1611)

doublevkay · Khang. Võ Vĩ · LinusU · web-flow · commit 28802387292b · 2022-07-31T10:01:29.000+02:00
* fix ReDoS referrer

* Update src/utils/referrer.js

Eliminate regex and use string matcher

Co-authored-by: Linus Unnebäck &lt;linus@folkdatorn.se&gt;

Co-authored-by: Khang. Võ Vĩ &lt;khangvv@vng.com.vn&gt;
Co-authored-by: Linus Unnebäck &lt;linus@folkdatorn.se&gt;
diff --git a/src/utils/referrer.js b/src/utils/referrer.js
@@ -119,7 +119,7 @@ export function isOriginPotentiallyTrustworthy(url) {
 	// 5. If origin's host component is "localhost" or falls within ".localhost", and the user agent conforms to the name resolution rules in [let-localhost-be-localhost], return "Potentially Trustworthy".
 	// We are returning FALSE here because we cannot ensure conformance to
 	// let-localhost-be-loalhost (https://tools.ietf.org/html/draft-west-let-localhost-be-localhost)
-	if (/^(.+\.)*localhost$/.test(url.host)) {
+	if (url.host === 'localhost' || url.host.endsWith('.localhost')) {
 		return false;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -119,7 +119,7 @@ export function isOriginPotentiallyTrustworthy(url) {`
`119`	`119`	`// 5. If origin's host component is "localhost" or falls within ".localhost", and the user agent conforms to the name resolution rules in [let-localhost-be-localhost], return "Potentially Trustworthy".`
`120`	`120`	`// We are returning FALSE here because we cannot ensure conformance to`
`121`	`121`	`// let-localhost-be-loalhost (https://tools.ietf.org/html/draft-west-let-localhost-be-localhost)`
`122`		`- if (/^(.+\.)*localhost$/.test(url.host)) {`
	`122`	`+ if (url.host === 'localhost' \|\| url.host.endsWith('.localhost')) {`
`123`	`123`	`return false;`
`124`	`124`	`}`
`125`	`125`