fix(isMagnetURI): update validation regex by tux-tn · Pull Request #1730 · validatorjs/validator.js
Conversation
This PR updates the isMagnetURI validator regex:
- Fix ReDOS in old regex (thanks to @yetingli for discovering the vulnerability and @JamieSlome for reporting it)
- Validate only exact xt topics (btih,sha1,...) based on this list
- Validate only 32 or 40 hashes (Old regex was validating length between 32 and 40 even if only 32 (md5 and sha1) and 40 (btih, ed2k,...) character hashes are valid )
- Make tr and dn parameters optional (Magnet URI definition doesn't specify if other parameters than
xtare required - Allow passing multiple
xturn using the standardxt.1andxt.2,... (URI is valid even if onlyxt.1is passed) - Allow any other parameter (protocol allow passing non standard parameters)
- Use placeholder hashes in tests
- Add new tests
All the changes are based on the Magnet URI scheme definition here , there is no IETF RFC concerning magnet URI.
Checklist
- PR contains only changes related; no stray files, etc.
- Tests written (where applicable)
- Validate only exact xn topics (btih,sha1,...) - Validate only 32 or 40 hashes - Make tr and dn parameters optional - Allow any other parameter (protocol allow passing non standard parameters) - Use placeholder hashes in tests - Fix ReDOS in old regex - Add new tests
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks for the fix.
tux-tn
deleted the
hotfix/isMagnet
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters