Release 4.3.1 (#176)

Co-authored-by: Jean-Philippe Zolesio <zolesio@adobe.com>
adobe · Aug 15, 2023 · 2b09a25 · 2b09a25
1 parent 964a6ea
commit 2b09a25
Show file tree

Hide file tree

Showing 7 changed files with 17 additions and 6 deletions.
diff --git a/History.md b/History.md
@@ -1,3 +1,8 @@
+4.3.1 / 2023-03-14
+==================
+
+ * Fix redos vulnerability with specific crafted css string - CVE-2023-26364
+
 4.3.0 / 2023-03-07
 ==================
 

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@adobe/css-tools",
-  "version": "4.3.0",
+  "version": "4.3.1",
   "description": "CSS parser / stringifier",
   "source": "src/index.ts",
   "main": "./dist/index.cjs",

diff --git a/src/parse/index.ts b/src/parse/index.ts
@@ -26,7 +26,9 @@ import {
 
 // http://www.w3.org/TR/CSS21/grammar.html
 // https://github.com/visionmedia/css-parse/pull/49#issuecomment-30088027
-const commentre = /\/\*[^*]*\*+([^/*][^*]*\*+)*\//g;
+// New rule => https://www.w3.org/TR/CSS22/syndata.html#comments
+// [^] is equivalent to [.\n\r]
+const commentre = /\/\*[^]*?(?:\*\/|$)/g;
 
 export const parse = (
   css: string,
@@ -204,8 +206,8 @@ export const parse = (
       return;
     }
 
-    // remove comment in selector; [^] is equivalent to [.\n\r]
-    const res = trim(m[0]).replace(/\/\*[^]*?\*\//gm, '');
+    // remove comment in selector;
+    const res = trim(m[0]).replace(commentre, '');
 
     // Optimisation: If there is no ',' no need to split or post-process (this is less costly)
     if (res.indexOf(',') === -1) {
@@ -654,10 +656,10 @@ export const parse = (
     const re = new RegExp(
       '^@' +
         name +
-        '\\s*((:?[^;\'"]|"(?:\\\\"|[^"])*?"|\'(?:\\\\\'|[^\'])*?\')+);'
+        '\\s*((?::?[^;\'"]|"(?:\\\\"|[^"])*?"|\'(?:\\\\\'|[^\'])*?\')+)(?:;|$)'
     );
 
-    // ^@import\s*([^;"']|("|')(?:\\\2|.)*?\2)+;
+    // ^@import\s*([^;"']|("|')(?:\\\2|.)*?\2)+(;|$)
 
     return function (): T1 | void {
       const pos = position();

diff --git a/test/cases/at-import-dos/ast.json b/test/cases/at-import-dos/ast.json
@@ -0,0 +1 @@
+{"type":"stylesheet","stylesheet":{"source":"input.css","rules":[{"type":"import","import":":\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':\\'\\'\\'':","position":{"start":{"line":1,"column":1},"end":{"line":1,"column":801},"source":"input.css"}}],"parsingErrors":[]}}
diff --git a/test/cases/at-import-dos/compressed.css b/test/cases/at-import-dos/compressed.css
diff --git a/test/cases/at-import-dos/input.css b/test/cases/at-import-dos/input.css
diff --git a/test/cases/at-import-dos/output.css b/test/cases/at-import-dos/output.css