fix regex in utils.stackTraceFilter to prevent ReDoS #3416

if the stack trace begins with a large error message (>= 20k charactors), and user leaves `--full-trace` disabled, `utils.stackTraceFilter()` takes ages to finish. Large error messages is quite possible when user makes containment assertions such as `expect(content).to.contain(word)`.
mochajs · Jan 24, 2019 · 81d9525 · 81d9525
1 parent 0f95a7d
commit 81d9525
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 3 deletions.
diff --git a/lib/utils.js b/lib/utils.js
@@ -647,8 +647,6 @@ exports.stackTraceFilter = function() {
   function isMochaInternal(line) {
     return (
       ~line.indexOf('node_modules' + slash + 'mocha' + slash) ||
-      ~line.indexOf('node_modules' + slash + 'mocha.js') ||
-      ~line.indexOf('bower_components' + slash + 'mocha.js') ||
       ~line.indexOf(slash + 'mocha.js')
     );
   }
@@ -677,7 +675,7 @@ exports.stackTraceFilter = function() {
       }
 
       // Clean up cwd(absolute)
-      if (/\(?.+:\d+:\d+\)?$/.test(line)) {
+      if (/:\d+:\d+\)?$/.test(line)) {
         line = line.replace('(' + cwd, '(');
       }
 

diff --git a/test/unit/runner.spec.js b/test/unit/runner.spec.js
@@ -487,6 +487,32 @@ describe('Runner', function() {
         });
         runner.failHook(hook, err);
       });
+
+      it('should not hang if the error message is ridiculously long', function(done) {
+        var hook = new Hook();
+        var message = [];
+        // mock a long message
+        for (var i = 0; i < 20000; i++) {
+          var line = stack[i % stack.length];
+          message[i] = line[Math.floor(Math.random() * line.length)];
+        }
+        var err = new Error(message);
+        // Fake stack-trace
+        err.stack = [message].concat(stack).join('\n');
+
+        runner.on('fail', function(hook, err) {
+          expect(
+            err.stack
+              .split('\n')
+              .slice(1)
+              .join('\n'),
+            'to be',
+            stack.slice(0, 3).join('\n')
+          );
+          done();
+        });
+        runner.failHook(hook, err);
+      });
     });
   });