Commit 48752c6
authored
fix(media-embed): remove ReDoS-prone regexes in host-gated providers (#5305)
* fix(media-embed): remove ReDoS-prone regexes in host-gated providers
Replace the unbounded '.*' patterns flagged by CodeQL (js/polynomial-redos) in
the YouTube, Facebook, and Giphy branches with bounded extraction off the parsed
URL (pathname / searchParams). Eliminates the O(n^2) backtracking a crafted
valid-host URL could trigger, with no change to matched links.
* test(media-embed): lock youtu.be trailing-slash + edge parity
Use the first path segment for youtu.be ids so a trailing slash still resolves
(matching the previous regex), and cover extra-query-param, si-param, embed-query,
and short-id cases.
* fix(media-embed): dispatch YouTube id by path shape; drop inline comments
- Resolve id from the /embed/ path segment before the ?v= query param so a valid
embed URL with a spurious v param still embeds (was returning null)
- Remove non-TSDoc inline comments from the module and its test1 parent 7662ecc commit 48752c6
2 files changed
Lines changed: 41 additions & 19 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
7 | 7 | | |
8 | 8 | | |
9 | 9 | | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
10 | 33 | | |
11 | 34 | | |
12 | 35 | | |
| |||
38 | 61 | | |
39 | 62 | | |
40 | 63 | | |
41 | | - | |
42 | | - | |
43 | 64 | | |
44 | 65 | | |
45 | 66 | | |
46 | 67 | | |
47 | | - | |
48 | 68 | | |
49 | 69 | | |
50 | 70 | | |
| |||
71 | 91 | | |
72 | 92 | | |
73 | 93 | | |
74 | | - | |
75 | | - | |
76 | 94 | | |
77 | 95 | | |
78 | 96 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
64 | 64 | | |
65 | 65 | | |
66 | 66 | | |
67 | | - | |
68 | | - | |
69 | | - | |
70 | | - | |
71 | | - | |
72 | | - | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
73 | 75 | | |
74 | 76 | | |
75 | 77 | | |
| |||
209 | 211 | | |
210 | 212 | | |
211 | 213 | | |
212 | | - | |
213 | | - | |
214 | | - | |
215 | | - | |
| 214 | + | |
| 215 | + | |
| 216 | + | |
| 217 | + | |
| 218 | + | |
216 | 219 | | |
217 | 220 | | |
218 | 221 | | |
| |||
320 | 323 | | |
321 | 324 | | |
322 | 325 | | |
323 | | - | |
324 | | - | |
325 | | - | |
326 | | - | |
| 326 | + | |
| 327 | + | |
| 328 | + | |
| 329 | + | |
| 330 | + | |
327 | 331 | | |
328 | 332 | | |
329 | 333 | | |
| |||
0 commit comments