Skip to content

Commit 2ba00fe

Browse files
MacsDickinsonMacsDickinson
authoredOct 3, 2023
[2609] fix ReDoS vulnerability in email regex (#2824)
·
v3.24.2v3.22.3
1 parent ae0f7a2 commit 2ba00fe

File tree

5 files changed

+5
-3
lines changed

5 files changed

+5
-3
lines changed
 

‎deno/lib/README.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -1879,7 +1879,7 @@ You can create a Zod schema for any TypeScript type by using `z.custom()`. This
18791879

18801880
```ts
18811881
const px = z.custom<`${number}px`>((val) => {
1882-
return /^\d+px$/.test(val as string);
1882+
return typeof val === "string" ? /^\d+px$/.test(val) : false;
18831883
});
18841884

18851885
type px = z.infer<typeof px>; // `${number}px`

‎deno/lib/__tests__/string.test.ts

+1
Original file line numberDiff line numberDiff line change
@@ -146,6 +146,7 @@ test("email validations", () => {
146146
`gbacher0@[IPv6:bc37:4d3f:5048:2e26:37cc:248e:df8e:2f7f:af]`,
147147
`invalid@[IPv6:5348:4ed3:5d38:67fb:e9b:acd2:c13:192.168.256.1]`,
148148
`test@.com`,
149+
`aaaaaaaaaaaaaaalongemailthatcausesregexDoSvulnerability@test.c`
149150
];
150151
const emailSchema = z.string().email();
151152

‎deno/lib/types.ts

+1-1
Original file line numberDiff line numberDiff line change
@@ -565,7 +565,7 @@ const uuidRegex =
565565
// const emailRegex =
566566
// /^(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])$/i;
567567
const emailRegex =
568-
/^([A-Z0-9_+-]+\.?)*[A-Z0-9_+-]@([A-Z0-9][A-Z0-9\-]*\.)+[A-Z]{2,}$/i;
568+
/^(?!\.)(?!.*\.\.)([A-Z0-9_+-\.]*)[A-Z0-9_+-]@([A-Z0-9][A-Z0-9\-]*\.)+[A-Z]{2,}$/i;
569569
// const emailRegex =
570570
// /^[a-z0-9.!#$%&’*+/=?^_`{|}~-]+@[a-z0-9-]+(?:\.[a-z0-9\-]+)*$/i;
571571

‎src/__tests__/string.test.ts

+1
Original file line numberDiff line numberDiff line change
@@ -145,6 +145,7 @@ test("email validations", () => {
145145
`gbacher0@[IPv6:bc37:4d3f:5048:2e26:37cc:248e:df8e:2f7f:af]`,
146146
`invalid@[IPv6:5348:4ed3:5d38:67fb:e9b:acd2:c13:192.168.256.1]`,
147147
`test@.com`,
148+
`aaaaaaaaaaaaaaalongemailthatcausesregexDoSvulnerability@test.c`
148149
];
149150
const emailSchema = z.string().email();
150151

‎src/types.ts

+1-1
Original file line numberDiff line numberDiff line change
@@ -565,7 +565,7 @@ const uuidRegex =
565565
// const emailRegex =
566566
// /^(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])$/i;
567567
const emailRegex =
568-
/^([A-Z0-9_+-]+\.?)*[A-Z0-9_+-]@([A-Z0-9][A-Z0-9\-]*\.)+[A-Z]{2,}$/i;
568+
/^(?!\.)(?!.*\.\.)([A-Z0-9_+-\.]*)[A-Z0-9_+-]@([A-Z0-9][A-Z0-9\-]*\.)+[A-Z]{2,}$/i;
569569
// const emailRegex =
570570
// /^[a-z0-9.!#$%&’*+/=?^_`{|}~-]+@[a-z0-9-]+(?:\.[a-z0-9\-]+)*$/i;
571571

0 commit comments

Comments
 (0)
Please sign in to comment.