Fix two exponential regex backtracking vulnerabilities

ESCAPED_CHAR already matches `\\`, so matching it again in another alternative was just causing an exponential complexity explosion. Fixes commonmark#157. Signed-off-by: Anders Kaseorg <[email protected]>
andersk · Mar 10, 2019 · 712e4b7 · 712e4b7
1 parent 2052768
commit 712e4b7
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/lib/inlines.js b/lib/inlines.js
@@ -46,7 +46,7 @@ var reLinkTitle = new RegExp(
         '\\((' + ESCAPED_CHAR + '|[^)\\x00])*\\))');
 
 var reLinkDestinationBraces = new RegExp(
-    '^(?:[<](?:[^<>\\n\\\\\\x00]' + '|' + ESCAPED_CHAR + '|' + '\\\\)*[>])');
+    '^(?:[<](?:[^<>\\n\\\\\\x00]' + '|' + ESCAPED_CHAR + ')*[>])');
 
 var reEscapable = new RegExp('^' + ESCAPABLE);
 
@@ -79,7 +79,7 @@ var reInitialSpace = /^ */;
 var reSpaceAtEndOfLine = /^ *(?:\n|$)/;
 
 var reLinkLabel = new RegExp('^\\[(?:[^\\\\\\[\\]]|' + ESCAPED_CHAR +
-  '|\\\\){0,1000}\\]');
+  '){0,1000}\\]');
 
 // Matches a string of non-special characters.
 var reMain = /^[^\n`\[\]\\!<&*_'"]+/m;