Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(isMagnetURI): update validation regex #1730

Merged
merged 3 commits into from Sep 21, 2021
Merged

fix(isMagnetURI): update validation regex #1730

merged 3 commits into from Sep 21, 2021

Conversation

tux-tn
Copy link
Member

@tux-tn tux-tn commented Sep 20, 2021
edited

This PR updates the isMagnetURI validator regex:

  • Fix ReDOS in old regex (thanks to @yetingli for discovering the vulnerability and @JamieSlome for reporting it)
  • Validate only exact xt topics (btih,sha1,...) based on this list
  • Validate only 32 or 40 hashes (Old regex was validating length between 32 and 40 even if only 32 (md5 and sha1) and 40 (btih, ed2k,...) character hashes are valid )
  • Make tr and dn parameters optional (Magnet URI definition doesn't specify if other parameters than xt are required
  • Allow passing multiple xt urn using the standard xt.1 and xt.2,... (URI is valid even if only xt.1 is passed)
  • Allow any other parameter (protocol allow passing non standard parameters)
  • Use placeholder hashes in tests
  • Add new tests

All the changes are based on the Magnet URI scheme definition here , there is no IETF RFC concerning magnet URI.

Checklist

  • PR contains only changes related; no stray files, etc.
  • Tests written (where applicable)

@tux-tn
fix(isMagnetURI): update validation regex
e263b32 
- Validate only exact xn topics (btih,sha1,...)
- Validate only 32 or 40 hashes
- Make tr and dn parameters optional
- Allow any other parameter (protocol allow passing non standard parameters)
- Use placeholder hashes in tests 
- Fix ReDOS in old regex
- Add new tests
@codecov
Copy link

codecov bot commented Sep 20, 2021
edited

Codecov Report

Merging #1730 (90a51c2) into master (8c4b3b3) will not change coverage.
The diff coverage is 100.00%.

Impacted file tree graph

@@            Coverage Diff            @@
##            master     #1730   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files          101       101           
  Lines         2005      2005           
  Branches       452       452           
=========================================
  Hits          2005      2005
Impacted Files Coverage Δ
src/lib/isMagnetURI.js 100.00% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8c4b3b3...90a51c2. Read the comment docs.

ezkemboi
ezkemboi previously approved these changes Sep 20, 2021
View reviewed changes
profnandaa
profnandaa previously approved these changes Sep 20, 2021
View reviewed changes
Copy link
Member

@profnandaa profnandaa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for the fix.

profnandaa
profnandaa reviewed Sep 20, 2021
View reviewed changes
src/lib/isMagnetURI.js Outdated Show resolved Hide resolved
@tux-tn tux-tn dismissed stale reviews from profnandaa and ezkemboi via 3c4157a September 20, 2021 17:47
@profnandaa profnandaa merged commit 7376945 into validatorjs:master Sep 21, 2021
@profnandaa
Copy link
Member

@tux-tn @ezkemboi -- let me do a release this weekend. You can help complete reviews of the remaining PRs.

@ezkemboi
Copy link
Member

Thanks, @profnandaa.
We will do that.

@tux-tn tux-tn deleted the hotfix/isMagnet branch September 21, 2021 09:30
@tux-tn
Copy link
Member Author

tux-tn commented Sep 21, 2021

Thank you @profnandaa

@profnandaa profnandaa mentioned this pull request Oct 31, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@profnandaa profnandaa profnandaa approved these changes

@ezkemboi ezkemboi ezkemboi left review comments

Assignees
No one assigned
Labels
needs-more-review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@tux-tn @profnandaa @ezkemboi