fix(media-embed): remove ReDoS-prone regexes in host-gated providers#5305
Conversation
Replace the unbounded '.*' patterns flagged by CodeQL (js/polynomial-redos) in the YouTube, Facebook, and Giphy branches with bounded extraction off the parsed URL (pathname / searchParams). Eliminates the O(n^2) backtracking a crafted valid-host URL could trigger, with no change to matched links.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
PR SummaryMedium Risk Overview YouTube now pulls the video id from Reviewed by Cursor Bugbot for commit 64df33e. Configure here. |
Greptile SummaryThis PR removes ReDoS-prone media embed matching from host-gated providers. The main changes are:
Confidence Score: 5/5This looks safe to merge.
Important Files Changed
Reviews (2): Last reviewed commit: "fix(media-embed): dispatch YouTube id by..." | Re-trigger Greptile |
Use the first path segment for youtu.be ids so a trailing slash still resolves (matching the previous regex), and cover extra-query-param, si-param, embed-query, and short-id cases.
…ents - Resolve id from the /embed/ path segment before the ?v= query param so a valid embed URL with a spurious v param still embeds (was returning null) - Remove non-TSDoc inline comments from the module and its test
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 64df33e. Configure here.
Summary
js/polynomial-redosalerts onpackages/utils/src/media-embed.ts(introduced by feat(rich-markdown-editor): live media embeds + shared embed detection util #5290, now in staging).*inside unanchored regexes. Even with the hostname gate, a crafted valid-host URL with a long path/query (e.g.https://facebook.com/+ 100k junk chars, no/videos/) triggers O(n²) backtracking — a client-side hang sincegetEmbedInforuns during note rendering + editor decoration (a crafted link in shared content could freeze other users' tabs)parsed.pathname/parsed.searchParams), so there is no.*left in these branches. No change to which links matchDetail
youtu.be→ first path segment;watch→searchParams.get('v');embed→ anchored/^\/embed\/([^/?]+)/; result validated with/^[a-zA-Z0-9_-]{11}$//\/videos\/\d+/on the pathname (fb.watch via anchored segment) instead offacebook.com/.*/videos//gifs|embed/path segment ([^/]++split('-').pop()), validated[a-zA-Z0-9]+Type of Change
Testing
media-embed.test.ts: existing cases pass; added coverage for extra YouTube query params, Facebook/fb.watch, and Giphy slug extraction (10 tests).tscclean.Checklist