Merge pull request #81 from guillaumepotier/fix-cve

Fix valid plural regex check
guillaumepotier · Aug 14, 2024 · 8150aeb · 8150aeb
2 parents c5a587c + 6e52e0f
commit 8150aeb
Show file tree

Hide file tree

Showing 10 changed files with 45 additions and 9 deletions.
diff --git a/dist/gettext.amd.js b/dist/gettext.amd.js
@@ -94,9 +94,13 @@ define(function () { 'use strict';
         // plural forms list available here http://localization-guide.readthedocs.org/en/latest/l10n/pluralforms.html
         var pf_re = new RegExp('^\\s*nplurals\\s*=\\s*[0-9]+\\s*;\\s*plural\\s*=\\s*(?:\\s|[-\\?\\|&=!<>+*/%:;n0-9_\(\)])+');
 
-        if (!pf_re.test(plural_form))
+        var match = plural_form.match(pf_re);
+
+        if (!match || match[0] !== plural_form)
           throw new Error(strfmt('The plural form "%1" is not valid', plural_form));
 
+        console.log('>>> Plural form:', plural_form);
+
         // Careful here, this is a hidden eval() equivalent..
         // Risk should be reasonable though since we test the plural_form through regex before
         // taken from https://github.com/Orange-OpenSource/gettext.js/blob/master/lib.gettext.js

diff --git a/dist/gettext.amd.min.js b/dist/gettext.amd.min.js
diff --git a/dist/gettext.cjs.js b/dist/gettext.cjs.js
@@ -94,9 +94,13 @@ var i18n = function (options) {
      // plural forms list available here http://localization-guide.readthedocs.org/en/latest/l10n/pluralforms.html
      var pf_re = new RegExp('^\\s*nplurals\\s*=\\s*[0-9]+\\s*;\\s*plural\\s*=\\s*(?:\\s|[-\\?\\|&=!<>+*/%:;n0-9_\(\)])+');
 
-     if (!pf_re.test(plural_form))
+     var match = plural_form.match(pf_re);
+
+     if (!match || match[0] !== plural_form)
        throw new Error(strfmt('The plural form "%1" is not valid', plural_form));
 
+     console.log('>>> Plural form:', plural_form);
+
      // Careful here, this is a hidden eval() equivalent..
      // Risk should be reasonable though since we test the plural_form through regex before
      // taken from https://github.com/Orange-OpenSource/gettext.js/blob/master/lib.gettext.js

diff --git a/dist/gettext.cjs.min.js b/dist/gettext.cjs.min.js
diff --git a/dist/gettext.esm.js b/dist/gettext.esm.js
@@ -92,9 +92,13 @@ var i18n = function (options) {
      // plural forms list available here http://localization-guide.readthedocs.org/en/latest/l10n/pluralforms.html
      var pf_re = new RegExp('^\\s*nplurals\\s*=\\s*[0-9]+\\s*;\\s*plural\\s*=\\s*(?:\\s|[-\\?\\|&=!<>+*/%:;n0-9_\(\)])+');
 
-     if (!pf_re.test(plural_form))
+     var match = plural_form.match(pf_re);
+
+     if (!match || match[0] !== plural_form)
        throw new Error(strfmt('The plural form "%1" is not valid', plural_form));
 
+     console.log('>>> Plural form:', plural_form);
+
      // Careful here, this is a hidden eval() equivalent..
      // Risk should be reasonable though since we test the plural_form through regex before
      // taken from https://github.com/Orange-OpenSource/gettext.js/blob/master/lib.gettext.js