Skip to content

Commit

Permalink
Update validateBaseUrl to use latest regex
Browse files Browse the repository at this point in the history
Summary:
Updating the regex to avoid a potential regular expression denial-of-service vulnerability.

Changelog: Update validateBaseUrl to use a more robust regular expression. Fixes CVE-2020-1920, GHSL-2020-293

Reviewed By: lunaleaps

Differential Revision: D25507604

fbshipit-source-id: c36a03c456881bc655c861e1a2c5cd41a7127c9d
  • Loading branch information
FBNeal authored and kelset committed Apr 30, 2021
1 parent 166a5dd commit ca09ae8
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion Libraries/Blob/URL.js
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ export class URLSearchParams {

function validateBaseUrl(url: string) {
// from this MIT-licensed gist: https://gist.github.com/dperini/729294
return /^(?:(?:(?:https?|ftp):)?\/\/)(?:(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\u00a1-\uffff0-9]-*)*[a-z\u00a1-\uffff0-9]+)(?:\.(?:[a-z\u00a1-\uffff0-9]-*)*[a-z\u00a1-\uffff0-9]+)*(?:\.(?:[a-z\u00a1-\uffff]{2,}))?)(?::\d{2,5})?(?:[/?#]\S*)?$/i.test(
return /^(?:(?:(?:https?|ftp):)?\/\/)(?:(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u00a1-\uffff][a-z0-9\u00a1-\uffff_-]{0,62})?[a-z0-9\u00a1-\uffff]\.)*(?:[a-z\u00a1-\uffff]{2,}\.?))(?::\d{2,5})?(?:[/?#]\S*)?$/.test(
url,
);
}
Expand Down

0 comments on commit ca09ae8

Please sign in to comment.