Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: catastrophic backtracking in astUtils linebreak regex (fixes #7893) #7898

Merged
merged 2 commits into from Jan 12, 2017
Merged

Fix: catastrophic backtracking in astUtils linebreak regex (fixes #7893) #7898

merged 2 commits into from Jan 12, 2017

Conversation

not-an-aardvark
Copy link
Member

What is the purpose of this pull request? (put an "X" next to item)

[x] Bug fix (see #7893)

What changes did you make? (Give an overview)

This fixes an issue where astUtils.getLocationFromRangeIndex and astUtils.getRangeIndexFromLocation were using a regular expression susceptible to catastrophic backtracking. The match would take quadratic time in the length of the last line of the file. Since the file in #7893 contains a 1.5 million character source map URL on the last line, rules like no-multiple-empty-lines would hang when using ast-utils to split the file into lines.

This issue only applies to files without trailing newlines, and is only noticable when the last line of the file contains more than 30000 characters or so. Since only a few rules use these astUtils functions, this would only appear when either no-useless-escape or no-multiple-empty-lines reports an error for the file.

Simplified example: Node 7.4.0 hangs when evaluating this expression.

/[^\n]*\n/.test('A'.repeat(1000000))

Is there anything you'd like reviewers to focus on?

Nothing in particular

@not-an-aardvark
Fix: catastrophic backtracking in astUtils linebreak regex (fixes #7893)
2614433 
This fixes an issue where `astUtils.getLocationFromRangeIndex` and `astUtils.getRangeIndexFromLocation` were using a regular expression susceptible to catastrophic backtracking. The match would take quadratic time in the length of the last line of the file. Since the file in #7893 contains a 1.5 million character source map URL on the last line, rules like `no-multiple-empty-lines` would hang when using ast-utils to split the file into lines.

This issue only applies to files without trailing newlines, and is only noticable when the last line of the file contains more than 30000 characters or so. Since only a few rules use these `astUtils` functions, this would only appear when either `no-useless-escape` or `no-multiple-empty-lines` reports an error for the file.

Simplified example: Node 7.4.0 hangs when evaluating this expression.

```js
/[^\n]*\n/.test('A'.repeat(1000000))
```
@eslintbot
Copy link

LGTM

@mention-bot
Copy link

@not-an-aardvark, thanks for your PR! By analyzing the history of the files in this pull request, we identified @mysticatea, @kaicataldo and @alangpierce to be potential reviewers.

@not-an-aardvark not-an-aardvark added accepted There is consensus among the team that this change meets the criteria for inclusion bug ESLint is working incorrectly rule Relates to ESLint's core rules labels Jan 11, 2017
vitorbal
vitorbal reviewed Jan 11, 2017
View reviewed changes
tests/lib/rules/no-multiple-empty-lines.js
@@ -309,6 +309,11 @@ ruleTester.run("no-multiple-empty-lines", rule, {
errors: [getExpectedError(1)],
options: [{ max: 1 }],
parserOptions: { ecmaVersion: 6 }
},
{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we could link to the related issue here, to make sure we don't forget about it?

nzakas
nzakas requested changes Jan 11, 2017
View reviewed changes
lib/ast-utils.js
@@ -290,8 +290,13 @@ const lineIndexCache = new WeakMap();
function getLineIndices(sourceCode) {

if (!lineIndexCache.has(sourceCode)) {
const lineIndices = (sourceCode.text.match(/[^\r\n\u2028\u2029]*(\r\n|\r|\n|\u2028|\u2029)/g) || [])
.reduce((indices, line) => indices.concat(indices[indices.length - 1] + line.length), [0]);
const lineIndices = [0];
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a comment here explaining why it's done this way? I can see some well-meaning dev thinking they can simplify this and reverting accidentally.

@eslintbot
Copy link

LGTM

@nzakas nzakas merged commit 427543a into master Jan 12, 2017
@not-an-aardvark not-an-aardvark deleted the ast-utils-catastrophic-backtracking branch January 13, 2017 00:20
This was referenced Jan 20, 2017
Merged
Merged
@not-an-aardvark not-an-aardvark mentioned this pull request Feb 28, 2017
Merged
@eslint-deprecated eslint-deprecated bot locked and limited conversation to collaborators Feb 6, 2018
@eslint-deprecated eslint-deprecated bot added the archived due to age This issue has been archived; please open a new issue for any further discussion label Feb 6, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@vitorbal vitorbal vitorbal left review comments

@nzakas nzakas nzakas approved these changes

@gyandeeps gyandeeps gyandeeps approved these changes

@kaicataldo kaicataldo kaicataldo approved these changes

Assignees
No one assigned
Labels
accepted There is consensus among the team that this change meets the criteria for inclusion archived due to age This issue has been archived; please open a new issue for any further discussion bug ESLint is working incorrectly rule Relates to ESLint's core rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@not-an-aardvark @eslintbot @mention-bot @nzakas @vitorbal @gyandeeps @kaicataldo