Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pathological inputs #129

Open
mity opened this issue Sep 27, 2017 · 0 comments
Open

Pathological inputs #129

mity opened this issue Sep 27, 2017 · 0 comments

Comments

@mity
Copy link

mity commented Sep 27, 2017
edited by jgm
Loading

I have just took a look how commonmark.js deals with the pathological inputs in Cmark's pathological_tests.py and in recently reported Cmark bugs.

Below is list of commands generating input which, after copying into http://try.commonmark.org/, makes JS interpreter in Firefox or Chrome unresponsive for looong time, many of them even result in browser offering user to kill the script.

In vast majority of applications user may likely only DoS-attack his own browser so security impact of these is limited. Still, it should be fixed.

"Openers and closers multiple of 3":

python -c 'print(("a**b" + ("c* " * 50000)))'

(Fixed in CMark, see commonmark/cmark#178)

"Nested block quotes":

python -c 'print((("> " * 50000) + "a"))'

(Works in CMark)

"Backticks":

python -c 'print("".join(map(lambda x: ("e" + "`" * x), range(1,10000))))'

(Fixed in CMark, see commonmark/cmark@8ed5c9d)

"Unclosed inline links":

python -c 'print("[a](b" * 50000)'

Fixed in cmark: see commonmark/cmark#214

python -c 'print("[a](<b" * 50000)'

Broken in cmark: see commonmark/cmark#218.

"Many ref. definitions"

python -c 'print("[a]: u\n" * 16 * 50000)'

(Fixed in Cmark, see commonmark/cmark#232)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mity