Skip to content

Commit 48752c6

Browse files
authored
fix(media-embed): remove ReDoS-prone regexes in host-gated providers (#5305)
* fix(media-embed): remove ReDoS-prone regexes in host-gated providers Replace the unbounded '.*' patterns flagged by CodeQL (js/polynomial-redos) in the YouTube, Facebook, and Giphy branches with bounded extraction off the parsed URL (pathname / searchParams). Eliminates the O(n^2) backtracking a crafted valid-host URL could trigger, with no change to matched links. * test(media-embed): lock youtu.be trailing-slash + edge parity Use the first path segment for youtu.be ids so a trailing slash still resolves (matching the previous regex), and cover extra-query-param, si-param, embed-query, and short-id cases. * fix(media-embed): dispatch YouTube id by path shape; drop inline comments - Resolve id from the /embed/ path segment before the ?v= query param so a valid embed URL with a spurious v param still embeds (was returning null) - Remove non-TSDoc inline comments from the module and its test
1 parent 7662ecc commit 48752c6

2 files changed

Lines changed: 41 additions & 19 deletions

File tree

packages/utils/src/media-embed.test.ts

Lines changed: 23 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,29 @@ describe('getEmbedInfo', () => {
77
expect(getEmbedInfo('https://www.youtube.com/watch?v=dQw4w9WgXcQ')).toEqual(expected)
88
expect(getEmbedInfo('https://youtu.be/dQw4w9WgXcQ')).toEqual(expected)
99
expect(getEmbedInfo('https://www.youtube.com/embed/dQw4w9WgXcQ')).toEqual(expected)
10+
expect(getEmbedInfo('https://www.youtube.com/watch?list=RD&v=dQw4w9WgXcQ&t=5')).toEqual(
11+
expected
12+
)
13+
expect(getEmbedInfo('https://youtu.be/dQw4w9WgXcQ?si=abc')).toEqual(expected)
14+
expect(getEmbedInfo('https://youtu.be/dQw4w9WgXcQ/')).toEqual(expected)
15+
expect(getEmbedInfo('https://www.youtube.com/embed/dQw4w9WgXcQ?rel=0')).toEqual(expected)
16+
expect(getEmbedInfo('https://www.youtube.com/embed/dQw4w9WgXcQ?v=notAnId')).toEqual(expected)
17+
expect(getEmbedInfo('https://www.youtube.com/watch?v=short')).toBeNull()
18+
})
19+
20+
it('maps Facebook and fb.watch video links to the video plugin', () => {
21+
expect(getEmbedInfo('https://www.facebook.com/some.page/videos/1234567890')).toEqual({
22+
url: 'https://www.facebook.com/plugins/video.php?href=https%3A%2F%2Fwww.facebook.com%2Fsome.page%2Fvideos%2F1234567890&show_text=false',
23+
type: 'iframe',
24+
})
25+
expect(getEmbedInfo('https://fb.watch/abc123')?.type).toBe('iframe')
26+
expect(getEmbedInfo('https://www.facebook.com/some.page/about')).toBeNull()
27+
})
28+
29+
it('extracts the Giphy id from the trailing slug token', () => {
30+
const expected = { url: 'https://giphy.com/embed/abc123', type: 'iframe', aspectRatio: '1/1' }
31+
expect(getEmbedInfo('https://giphy.com/gifs/funny-cat-abc123')).toEqual(expected)
32+
expect(getEmbedInfo('https://giphy.com/embed/abc123')).toEqual(expected)
1033
})
1134

1235
it('maps Vimeo and Spotify URLs with their aspect ratios', () => {
@@ -38,13 +61,10 @@ describe('getEmbedInfo', () => {
3861
})
3962

4063
it('only embeds when the parsed host belongs to the provider', () => {
41-
// A provider domain in the path or as a subdomain prefix of an attacker host
42-
// must not be treated as that provider.
4364
expect(getEmbedInfo('https://evil.com/youtube.com/watch?v=dQw4w9WgXcQ')).toBeNull()
4465
expect(getEmbedInfo('https://youtube.com.evil.com/watch?v=dQw4w9WgXcQ')).toBeNull()
4566
expect(getEmbedInfo('https://evil.com/open.spotify.com/track/abc123')).toBeNull()
4667
expect(getEmbedInfo('https://vimeo.com.evil.com/123456')).toBeNull()
47-
// Legitimate subdomains of a provider still embed.
4868
expect(getEmbedInfo('https://m.youtube.com/watch?v=dQw4w9WgXcQ')).toEqual({
4969
url: 'https://www.youtube.com/embed/dQw4w9WgXcQ',
5070
type: 'iframe',
@@ -71,8 +91,6 @@ describe('getEmbedInfo', () => {
7191
})
7292

7393
it('does not apply the Dropbox direct-link rewrite to look-alike hosts', () => {
74-
// Look-alike hosts fall through to the generic video handler with their
75-
// original (untrusted) host intact — never rewritten as if trusted Dropbox.
7694
expect(getEmbedInfo('https://dropbox.com.evil.com/clip.mp4')?.url).not.toContain(
7795
'dropboxusercontent.com'
7896
)

packages/utils/src/media-embed.ts

Lines changed: 18 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -64,12 +64,14 @@ function toDropboxDirectVideoUrl(parsed: URL): string | null {
6464
export function getEmbedInfo(url: string): EmbedInfo | null {
6565
const parsed = parseUrl(url)
6666
const host = parsed?.hostname.toLowerCase() ?? null
67-
if (hostMatches(host, 'youtube.com', 'youtu.be')) {
68-
const youtubeMatch = url.match(
69-
/(?:youtube\.com\/watch\?(?:.*&)?v=|youtu\.be\/|youtube\.com\/embed\/)([a-zA-Z0-9_-]{11})/
70-
)
71-
if (youtubeMatch) {
72-
return { url: `https://www.youtube.com/embed/${youtubeMatch[1]}`, type: 'iframe' }
67+
if (parsed && hostMatches(host, 'youtube.com', 'youtu.be')) {
68+
const segments = parsed.pathname.split('/')
69+
let id: string | null | undefined
70+
if (hostMatches(host, 'youtu.be')) id = segments[1]
71+
else if (segments[1] === 'embed') id = segments[2]
72+
else id = parsed.searchParams.get('v')
73+
if (id && /^[a-zA-Z0-9_-]{11}$/.test(id)) {
74+
return { url: `https://www.youtube.com/embed/${id}`, type: 'iframe' }
7375
}
7476
}
7577

@@ -209,10 +211,11 @@ export function getEmbedInfo(url: string): EmbedInfo | null {
209211
}
210212
}
211213

212-
if (hostMatches(host, 'facebook.com', 'fb.watch')) {
213-
const facebookVideoMatch =
214-
url.match(/facebook\.com\/.*\/videos\/(\d+)/) || url.match(/fb\.watch\/([a-zA-Z0-9_-]+)/)
215-
if (facebookVideoMatch) {
214+
if (parsed && hostMatches(host, 'facebook.com', 'fb.watch')) {
215+
const isFacebookVideo = hostMatches(host, 'fb.watch')
216+
? /^\/[a-zA-Z0-9_-]+/.test(parsed.pathname)
217+
: /\/videos\/\d+/.test(parsed.pathname)
218+
if (isFacebookVideo) {
216219
return {
217220
url: `https://www.facebook.com/plugins/video.php?href=${encodeURIComponent(url)}&show_text=false`,
218221
type: 'iframe',
@@ -320,10 +323,11 @@ export function getEmbedInfo(url: string): EmbedInfo | null {
320323
}
321324
}
322325

323-
if (hostMatches(host, 'giphy.com')) {
324-
const giphyMatch = url.match(/giphy\.com\/(?:gifs|embed)\/(?:.*-)?([a-zA-Z0-9]+)/)
325-
if (giphyMatch) {
326-
return { url: `https://giphy.com/embed/${giphyMatch[1]}`, type: 'iframe', aspectRatio: '1/1' }
326+
if (parsed && hostMatches(host, 'giphy.com')) {
327+
const segment = parsed.pathname.match(/^\/(?:gifs|embed)\/([^/]+)/)?.[1]
328+
const giphyId = segment?.split('-').pop()
329+
if (giphyId && /^[a-zA-Z0-9]+$/.test(giphyId)) {
330+
return { url: `https://giphy.com/embed/${giphyId}`, type: 'iframe', aspectRatio: '1/1' }
327331
}
328332
}
329333

0 commit comments

Comments
 (0)