-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix #11: Support double quotes in strings #12
Conversation
Looks good to me! Just give me some more time to read the code properly before merging. |
src/filtrex.js
Outdated
); | ||
return "STRING";` | ||
], // "foo" | ||
['"(?:\\\\"|[^"])*"', 'return "STRING";'], // "foo" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Your regex also matches "a\"
as a legit string. The not-char pattern should be something like [^"\\]
instead of [^"]
. This can be used as an exploit, because the next string would be actually executed as JavaScript:
"a\" == "; window.p0wned = true; //"
Also, can you guarantee that removing the JSON.stringify
won't result in any malicious code? We know that everything that comes out of stringify
is safe. But how can we be sure every match of your regex is safe? (After fixing the previous bug, of course, now it obviously isn't safe.)
I've found a potential security bug in your code, please be sure to fix it before I merge the PR. |
This reverts commit dd9510f.
Thanks for the detailed explanation! I added tests for these specific cases, but actually the regex was already not vulnerable to this. It seems to me this was because the first alternative in the parentheses ( Even so, it is true the regex would pretty much allow all JS escape codes to sneak in. I did not see much issue with this, though I admit I can also not guarantee it to be safe. So I have tightened the regex, so that only Adding |
Thank you! |
@arendjr Don't you mind being added to the list of contributors in README? |
Not at all 👍 |
This PR makes it possible to use double quotes inside strings, provided they're escaped with a preceding backslash.
Please note this PR could be considered breaking, as literal backslashes will now be interpreted as escape characters.