-
-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Inefficient regex in the no-unknown-property rule #3666
Comments
Unfortunately using that regex causes 16 test failures. |
Sorry, the proposed regex fix was miswritten. This should work ok: |
Thanks! |
You mention:
Did you ever find an explanation as to why that is? That means it's going to incorrectly flag props that start with data (eg. dataLayer, dataAmount, etc...) |
@jeremydrichardson if that’s the case, please file a new issue and we can fix that too |
Is there an existing issue for this?
Description Overview
The regex in charge of parsing data attributes in the no-unknown-property rule is vulnerable to catastrophic backtracking:
https://github.com/jsx-eslint/eslint-plugin-react/blob/master/lib/rules/no-unknown-property.js#L431
Here's an example payload:
https://regex101.com/r/GvfmhG/1
As a result, the function
isValidDataAttribute(name)
is affected.According to the project maintainers contacted via the security channel, there aren't security concerns given how
eslint-plugin-react
is used.Possible Fix:
The root cause of the exponential complexity in
isValidDataAttribute()
regex seems to be the nested quantifier. In my tests, the following regex avoids that while retaining the same matching capability as the old one:^data(-?[-[^:]]*)$
Note that both regexes (the old and the proposed one) match "
data
" or "data-
", which are not valid according to the HTML5 specification.Expected Behavior
Process executing not in exponential time.
eslint-plugin-react version
v7.33.2
eslint version
v8.54.0
node version
v18.13.0
The text was updated successfully, but these errors were encountered: