sets limits in regexes

mozilla-services · Jun 7, 2017 · e34a871 · e34a871
1 parent c1b84e5
commit e34a871
Show file tree

Hide file tree

Showing 12 changed files with 31 additions and 31 deletions.
diff --git a/addon/webextension/background/deviceInfo.js b/addon/webextension/background/deviceInfo.js
@@ -11,9 +11,9 @@ this.deviceInfo = (function() {
   }));
 
   return function deviceInfo() {
-    let match = navigator.userAgent.match(/Chrom(?:e|ium)\/([0-9\.]+)/);
+    let match = navigator.userAgent.match(/Chrom(?:e|ium)\/([0-9\.]{1,1000})/);
     let chromeVersion = match ? match[1] : null;
-    match = navigator.userAgent.match(/Firefox\/([0-9\.]+)/);
+    match = navigator.userAgent.match(/Firefox\/([0-9\.]{1,1000})/);
     let firefoxVersion = match ? match[1] : null;
     let appName = chromeVersion ? "chrome" : "firefox";
 

diff --git a/addon/webextension/background/main.js b/addon/webextension/background/main.js
@@ -171,7 +171,7 @@ this.main = (function() {
     if (path == "shots") {
       return true;
     }
-    if (/^[^/]+\/[^/]+$/.test(path)) {
+    if (/^[^/]{1,4000}\/[^/]{1,4000}$/.test(path)) {
       // Blocks {:id}/{:domain}, but not /, /privacy, etc
       return true;
     }

diff --git a/addon/webextension/domainFromUrl.js b/addon/webextension/domainFromUrl.js
@@ -14,7 +14,7 @@ this.domainFromUrl = (function() {
         domain = "unknown";
       }
     }
-    if (domain.search(/^[a-z0-9.\-]+$/i) === -1) {
+    if (domain.search(/^[a-z0-9.\-]{1,1000}$/i) === -1) {
       // Probably a unicode domain; we could use punycode but it wouldn't decode
       // well in the URL anyway.  Instead we'll punt.
       domain = domain.replace(/[^a-z0-9.\-]/ig, "");

diff --git a/addon/webextension/selector/documentMetadata.js b/addon/webextension/selector/documentMetadata.js
@@ -18,7 +18,7 @@ this.documentMetadata = (function() {
   function getOpenGraph() {
     let openGraph = {};
     // If you update this, also update _OPENGRAPH_PROPERTIES in shot.js:
-    let forceSingle = `title type url`.split(/\s+/g);
+    let forceSingle = `title type url`.split(" ");
     let openGraphProperties = `
     title type url image audio description determiner locale site_name video
     image:secure_url image:type image:width image:height

diff --git a/server/src/ga-activation.js b/server/src/ga-activation.js
@@ -21,7 +21,7 @@ function _dntEnabled(dnt, ua) {
     // List of Windows versions known to not implement DNT according to the standard.
     var anomalousWinVersions = ['Windows NT 6.1', 'Windows NT 6.2', 'Windows NT 6.3'];
 
-    var fxMatch = ua.match(/Firefox\\/(\\d+)/);
+    var fxMatch = ua.match(/Firefox\\/(\\d{1,10})/);
     var ieRegEx = /MSIE|Trident/i;
     var isIE = ieRegEx.test(ua);
     // Matches from Windows up to the first occurance of ; un-greedily
@@ -146,7 +146,7 @@ window.sendEvent = function (action, label, options) {
 };
 `;
 
-const idRegex = /^[a-zA-Z0-9_.,-]+$/;
+const idRegex = /^[a-zA-Z0-9_.,-]{1,1000}$/;
 
 exports.makeGaActivationString = function(gaId, userId, abTests, hashLocation) {
   if (gaId === "") {

diff --git a/server/src/pages/shot/controller.js b/server/src/pages/shot/controller.js
@@ -123,12 +123,12 @@ function refreshHash() {
     return;
   }
   let clipId = null;
-  let match = (/clip=([^&]+)/).exec(location.hash);
+  let match = (/clip=([^&]{1,255})/).exec(location.hash);
   if (match) {
     clipId = decodeURIComponent(match[1]);
   }
   let source = "change-clip"; // eslint-disable-line no-unused-vars
-  match = (/source=([^&]+)/).exec(location.hash);
+  match = (/source=([^&]{1,255})/).exec(location.hash);
   if (match) {
     source = decodeURIComponent(match[1]);
   }

diff --git a/server/src/pages/shot/view.js b/server/src/pages/shot/view.js
@@ -326,7 +326,7 @@ class Body extends React.Component {
       clipUrl = clip.image.url;
     }
 
-    let renderGetFirefox = this.props.userAgent && (this.props.userAgent + "").search(/firefox\/\d+/i) === -1;
+    let renderGetFirefox = this.props.userAgent && (this.props.userAgent + "").search(/firefox\/\d{1,255}/i) === -1;
     let renderExtensionNotification = !(this.props.isExtInstalled || renderGetFirefox);
     if (this.props.isMobile || this.state.closeBanner) {
       renderGetFirefox = renderExtensionNotification = false;

diff --git a/server/src/pages/shotindex/controller.js b/server/src/pages/shotindex/controller.js
@@ -9,7 +9,7 @@ let model;
 exports.launch = function(m) {
   if (m.hasDeviceId) {
     m.shots = m.shots.map((shot) => new AbstractShot(m.backend, shot.id, shot.json));
-    let match = /[\?&]q=([^&]+)/.exec(location.href);
+    let match = /[\?&]q=([^&]{1,4000})/.exec(location.href);
     if (match) {
       m.defaultSearch = decodeURIComponent(match[1]);
     }
@@ -64,7 +64,7 @@ exports.deleteShot = function(shot) {
 };
 
 window.addEventListener("popstate", () => {
-  let match = /[?&]q=([^&]*)/.exec(location.search);
+  let match = /[?&]q=([^&]{0,4000})/.exec(location.search);
   if (!match) {
     model.defaultSearch = "";
   } else {

diff --git a/server/src/server.js b/server/src/server.js
@@ -284,7 +284,7 @@ function decodeAuthHeader(header) {
   /** Decode a string header in the format {deviceId}:{deviceIdSig};abtests={b64thing}:{sig} */
   // Since it's treated as opaque, we'll use a fragile regex
   let keygrip = dbschema.getKeygrip();
-  let match = /^([^:]+):([^;]+);abTests=([^:]+):(.*)$/.exec(header);
+  let match = /^([^:]{1,255}):([^;]{1,255});abTests=([^:]{1,1500}):(.{0,255})$/.exec(header);
   if (!match) {
     // FIXME: log, Sentry error
     return {};
@@ -571,7 +571,7 @@ app.post("/api/register", function(req, res) {
 
 function sendAuthInfo(req, res, params) {
   let { deviceId, userAbTests } = params;
-  if (deviceId.search(/^[a-zA-Z0-9_-]+$/) == -1) {
+  if (deviceId.search(/^[a-zA-Z0-9_-]{1,255}$/) == -1) {
     // FIXME: add logging message with deviceId
     throw new Error("Bad deviceId");
   }
@@ -932,7 +932,7 @@ app.get("/oembed", function(req, res) {
     return;
   }
   url = url.substr(backend.length);
-  let match = /^\/*([^\/]+)\/([^\/]+)/.exec(url);
+  let match = /^\/{0,255}([^\/]{1,255})\/([^\/]{1,255})/.exec(url);
   if (!match) {
     simpleResponse(res, "Error: not a Shot url", 404);
     return;

diff --git a/server/src/servershot.js b/server/src/servershot.js
@@ -267,7 +267,7 @@ class Shot extends AbstractShot {
       queryParts.push(`setweight(to_tsvector(${addText(t)}), '${weight}') /* ${name} */`);
     }
     if (this.url) {
-      let domain = this.url.replace(/^.*:/, "").replace(/\/.*$/, "");
+      let domain = this.url.replace(/^.{0,4000}:/, "").replace(/\/.{0,4000}$/, "");
       addWeight(domain, 'B', 'domain');
     }
     addWeight(this.title, 'A', 'title');

diff --git a/shared/shot.js b/shared/shot.js
@@ -14,22 +14,22 @@ function assert(condition, ...args) {
 /** True if `url` is a valid URL */
 function isUrl(url) {
   // FIXME: this is rather naive, obviously
-  if ((/^about:.+$/i).test(url)) {
+  if ((/^about:.{1,8000}$/i).test(url)) {
     return true;
   }
-  if ((/^file:\/.*$/i).test(url)) {
+  if ((/^file:\/.{0,8000}$/i).test(url)) {
     return true;
   }
   if ((/^data:.*$/i).test(url)) {
     return true;
   }
-  if ((/^chrome:.*/i).test(url)) {
+  if ((/^chrome:.{0,8000}/i).test(url)) {
     return true;
   }
   if ((/^view-source:/i).test(url)) {
     return isUrl(url.substr("view-source:".length));
   }
-  return (/^https?:\/\/[a-z0-9\.\-]+[a-z0-9](:[0-9]+)?\/?/i).test(url);
+  return (/^https?:\/\/[a-z0-9\.\-]{1,8000}[a-z0-9](:[0-9]{1,8000})?\/?/i).test(url);
 }
 
 function assertUrl(url) {
@@ -46,7 +46,7 @@ function assertUrl(url) {
 function assertOrigin(url) {
   assertUrl(url);
   if (url.search(/^https?:/i) != -1) {
-    let match = (/^https?:\/\/[^/:]+\/?$/i).exec(url);
+    let match = (/^https?:\/\/[^/:]{1,4000}\/?$/i).exec(url);
     if (!match) {
       throw new Error("Bad origin, might include path");
     }
@@ -61,7 +61,7 @@ function originFromUrl(url) {
     // Non-HTTP URLs don't have an origin
     return null;
   }
-  let match = (/^https?:\/\/[^/:]+/i).exec(url);
+  let match = (/^https?:\/\/[^/:]{1,4000}/i).exec(url);
   if (match) {
     return match[0];
   }
@@ -121,7 +121,7 @@ function resolveUrl(base, url) {
   }
   if (url.indexOf("/") === 0) {
     // Domain-relative URL
-    return (/^https?:\/\/[a-z0-9\.\-]+/i).exec(base)[0] + url;
+    return (/^https?:\/\/[a-z0-9\.\-]{1,4000}/i).exec(base)[0] + url;
   }
   // Otherwise, a full relative URL
   while (url.indexOf("./") === 0) {
@@ -196,7 +196,7 @@ class AbstractShot {
 
   constructor(backend, id, attrs) {
     attrs = attrs || {};
-    assert((/^[a-zA-Z0-9]+\/[a-z0-9\.-]+$/).test(id), "Bad ID (should be alphanumeric):", JSON.stringify(id));
+    assert((/^[a-zA-Z0-9]{1,4000}\/[a-z0-9\.-]{1,4000}$/).test(id), "Bad ID (should be alphanumeric):", JSON.stringify(id));
     this._backend = backend;
     this._id = id;
     this.origin = attrs.origin || null;
@@ -347,7 +347,7 @@ class AbstractShot {
     let filenameTitle = this.title;
     let date = new Date(this.createdDate);
     filenameTitle = filenameTitle.replace(/[\/!@&*.|\n\r\t]/g, " ");
-    filenameTitle = filenameTitle.replace(/\s+/g, " ");
+    filenameTitle = filenameTitle.replace(/\s{1,4000}/g, " ");
     let clipFilename = `Screenshot-${date.getFullYear()}-${date.getMonth() + 1}-${date.getDate()} ${filenameTitle}`;
     const clipFilenameBytesSize = clipFilename.length * 2; // JS STrings are UTF-16
     if (clipFilenameBytesSize > 251) { // 255 bytes (Usual filesystems max) - 4 for the ".png" file extension string
@@ -364,15 +364,15 @@ class AbstractShot {
     }
     if (this.url.search(/^https?/i) != -1) {
       let txt = this.url;
-      txt = txt.replace(/^[a-z]+:\/\//i, "");
-      txt = txt.replace(/\/.*/, "");
+      txt = txt.replace(/^[a-z]{1,4000}:\/\//i, "");
+      txt = txt.replace(/\/.{0,4000}/, "");
       txt = txt.replace(/^www\./i, "");
       return txt;
     } else if (this.url.startsWith("data:")) {
       return "data:url";
     }
     let txt = this.url;
-    txt = txt.replace(/\?.*/, "");
+    txt = txt.replace(/\?.{0,4000}/, "");
     return txt;
   }
 

diff --git a/static/js/wantsauth.js b/static/js/wantsauth.js
@@ -23,9 +23,9 @@ window.wantsauth = (function() {
   // Note that this module is only loosely bound to any controller, but there
   // is special logic for view pages where ownership is interesting in addition to
   // authentication.  As a result we have to parse the URL on our own:
-  let maybeShotId = location.href.replace(/^https?:\/\/[^/]+\//i, "");
-  maybeShotId = maybeShotId.replace(/\?.*/, "").replace(/#.*/, "");
-  if (maybeShotId.search(/[a-z0-9]+\/[a-z0-9.]+$/i) === -1) {
+  let maybeShotId = location.href.replace(/^https?:\/\/[^/]{1,4000}\//i, "");
+  maybeShotId = maybeShotId.replace(/\?.*/, "").replace(/#.{0,4000}/, "");
+  if (maybeShotId.search(/[a-z0-9]+\/[a-z0-9.]{1,4000}$/i) === -1) {
     // Not a shot ID, which should look like {stuff}/{stuff}
     maybeShotId = null;
   }