Fix CodeQL warning in indentation

[jeddy3]

The CI is failing on two CodeQL warnings:

Check failure on line 541 in lib/rules/indentation/index.js
Inefficient regular expression
This part of the regular expression may cause exponential backtracking on strings starting with '!\n' and containing many repetitions of '\n'.

Check failure on line 3808 in lib/utils/parseCalcExpression/parser.js
Inefficient regular expression
This part of the regular expression may cause exponential backtracking on strings starting with 'a(' and containing many repetitions of '''.

We'll need to fix these. The later is in generated code, so we may need to expedite #4731 (comment) and remove the function-calc-no-invalid rule.

[jeddy3]

This seems to have gone away.

If it reoccurs, there's a WIP branch to temporarily ignore the generated parser until we figure out what to do with it. The indentation regex needs tweaking in the branch.

[XhmikosR]

This is the same issue I mentioned the other time @jeddy3 :) https://github.com/stylelint/stylelint/compare/XhmikosR-patch-1

https://lgtm.com/projects/g/stylelint/stylelint/?mode=list

I don't think it's a false positive, but I haven't looked at it closely.

Anyway, before ignoring CodeQL I'd make sure if the issue is valid (which it looks like it).

[jeddy3]

This is the same issue I mentioned the other time @jeddy3 :)

Oh right, yes it is!

I'd make sure if the issue is valid (which it looks like it).

Yes, we should definitely fix the indentation issue. I'm not sure there's much we can do about the lib/utils/parseCalcExpression/parser.js one as that's generated code. Hence the suggestion to ignore until we can remove.

Did you want to PR your branch, or shall I port the Regex over to the fix-codeql branch?

[XhmikosR]

I don't think my patch is correct, though. The original regex is supposed to match \r?\n followed by \s. The correct fix would be to actually exclude \r\n from \s or replace \s with something more specific.

Not familiar with the exact code hence why I didn't make a patch :)

[jeddy3]

Regex isn't my strong suit. I've labelled the issue as "help wanted". Hopefully, someone more familiar with Regex and the rule code will jump in and update the regex in the fix-codeql branch.

[jeddy3]

I've deleted the fix-codeql branch.

The lib/utils/parseCalcExpression/parser.js file was removed in the v14 branch, leaving just the indentation warning to fix. Whoever picks this up, please branch off v14.

[dylmye]

Hi all, should we backport the fix created in #5539 to 13.x so users don't have to migrate to 14.x to benefit from this? Or have I got the wrong end of the stick here? Thanks

[jeddy3]

14.x will likely be released next week. It's unlikely we'll backport the fix to 13.x nor maintain a 13.x branch going forward. This ReDoS issue only affects users running Stylelint in the browser.