trim code after regexp

[UziTech]

Trimming the code after the regexp (instead of inside the regexp) seems to fix the regexp DOS described in #937

fixes #937

here is code to test it:

function genstr(len, chr) {
  var result = '';
  for (i=0; i<=len; i++) {
    result = result + chr;
  }
  return result;
}

var regex,start,output,end;

var input =  '`x' + genstr(50000, ' ') + 'x`';

regex = /^(`+)\s*([\s\S]*?[^`])\s*\1(?!`)/;
start = process.hrtime();
output = '<code>'+regex.exec(input)[2]+'</code>';
end = process.hrtime(start);

console.info(' DOS execution time (hr): %ds %dms', end[0], end[1] / 1000000);

regex = /^(`+)([\s\S]*?[^`])\1(?!`)/;
start = process.hrtime();
output = '<code>'+regex.exec(input)[2].trim()+'</code>';
end = process.hrtime(start);

console.info('Trim execution time (hr): %ds %dms', end[0], end[1] / 1000000);

[kunagpal]

@UziTech Could you send this pull request to https://github.com/8fold/marked instead? It looks like this module is unmaintained 😞

[UziTech]

Added the pull request https://github.com/8fold/marked/pull/1

[marcoscaceres]

@guypod or @maban, any chance of evaluating and adding this patch to @snyk? It might solve for https://snyk.io/vuln/npm:marked:20170907

[karenyavine]

Hey! We're already looking into it :)

[karenyavine]

We released a patch for this here: https://snyk.io/vuln/npm:marked:20170907
@marcoscaceres @UziTech

[marcoscaceres]

Amazing! Thanks so much @karenyavine! 🙏

[UziTech]

this was merged with v0.3.9