Merge pull request #14 from commenthol/fix-regex-xss

fix: for GHSA-3fjq-93xj-3f3f
commenthol · Dec 6, 2019 · d0234d3 · d0234d3
2 parents 39f6ddf + 181d7d5
commit d0234d3
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/lib/index.js b/lib/index.js
@@ -75,7 +75,7 @@ function serialize (source, opts) {
     out += !/^\s*(function|\([^)]*\)\s*=>)/m.test(tmp) ? 'function ' + tmp : tmp
   } else if (util.isObject(source)) {
     if (util.isRegExp(source)) {
-      out += source.toString()
+      out += 'new RegExp("' + source.source + '", "' + source.flags + '")'
     } else if (util.isDate(source)) {
       out += 'new Date("' + source.toJSON() + '")'
     } else if (util.isError(source)) {

diff --git a/test/fixtures.js b/test/fixtures.js
@@ -33,7 +33,7 @@ module.exports = {
   ],
   'regex': [
     /test(?:it)?/ig,
-    '/test(?:it)?/gi'
+    'new RegExp("test(?:it)?", "gi")'
   ],
   'object': [
     { a: 1, b: 2 },
@@ -138,6 +138,14 @@ module.exports = {
     new Float64Array([1e12, 2000000, 3.1415, -4.9e2, 5]),
     'new Float64Array([1000000000000, 2000000, 3.1415, -490, 5])',
     'toString'
+  ],
+  'regexXss': [
+    /[</script><script>alert('xss')//]/i,
+    'new RegExp("[</script><script>alert(\'xss\')//]", "i")'
+  ],
+  'regex no flags': [
+    /abc/,
+    'new RegExp("abc", "")'
   ]
 }