Fix processing of replacement pattern with named capture groups (#17173)

mmmsssttt404 · JLHwung · web-flow · commit d5952e80c0fa · 2025-03-11T18:28:36.000+01:00
* Update index.spec.js test wrapRegExp * Update wrapRegExp.js * Update index.spec.js * fix: avoid branch ambiguity in substitution regex * move test to babel-runtime * fix: improve check * add more test cases * update artifacts * add common test case for #17174 * fix test * match the line terminator instead * fix: support hasOwnProperty as captured name * update artifacts * add more test cases * fixup update artifacts * shrink helper * update artifacts * make windows happy --------- Co-authored-by: Huáng Jùnliàng <jlhwung@gmail.com>
diff --git a/packages/babel-helpers/src/helpers-generated.ts b/packages/babel-helpers/src/helpers-generated.ts
@@ -1414,10 +1414,10 @@ const helpers: Record<string, Helper> = {
       },
     },
   ),
-  // size: 1163, gzip size: 540
+  // size: 1213, gzip size: 560
   wrapRegExp: helper(
     "7.19.0",
-    'function _wrapRegExp(){_wrapRegExp=function(e,r){return new BabelRegExp(e,void 0,r)};var e=RegExp.prototype,r=new WeakMap;function BabelRegExp(e,t,p){var o=RegExp(e,t);return r.set(o,p||r.get(e)),setPrototypeOf(o,BabelRegExp.prototype)}function buildGroups(e,t){var p=r.get(t);return Object.keys(p).reduce((function(r,t){var o=p[t];if("number"==typeof o)r[t]=e[o];else{for(var i=0;void 0===e[o[i]]&&i+1<o.length;)i++;r[t]=e[o[i]]}return r}),Object.create(null))}return inherits(BabelRegExp,RegExp),BabelRegExp.prototype.exec=function(r){var t=e.exec.call(this,r);if(t){t.groups=buildGroups(t,this);var p=t.indices;p&&(p.groups=buildGroups(p,this))}return t},BabelRegExp.prototype[Symbol.replace]=function(t,p){if("string"==typeof p){var o=r.get(this);return e[Symbol.replace].call(this,t,p.replace(/\\$<([^>]+)>/g,(function(e,r){var t=o[r];return"$"+(Array.isArray(t)?t.join("$"):t)})))}if("function"==typeof p){var i=this;return e[Symbol.replace].call(this,t,(function(){var e=arguments;return"object"!=typeof e[e.length-1]&&(e=[].slice.call(e)).push(buildGroups(e,i)),p.apply(this,e)}))}return e[Symbol.replace].call(this,t,p)},_wrapRegExp.apply(this,arguments)}',
+    'function _wrapRegExp(){_wrapRegExp=function(e,r){return new BabelRegExp(e,void 0,r)};var e=RegExp.prototype,r=new WeakMap;function BabelRegExp(e,t,p){var o=RegExp(e,t);return r.set(o,p||r.get(e)),setPrototypeOf(o,BabelRegExp.prototype)}function buildGroups(e,t){var p=r.get(t);return Object.keys(p).reduce((function(r,t){var o=p[t];if("number"==typeof o)r[t]=e[o];else{for(var i=0;void 0===e[o[i]]&&i+1<o.length;)i++;r[t]=e[o[i]]}return r}),Object.create(null))}return inherits(BabelRegExp,RegExp),BabelRegExp.prototype.exec=function(r){var t=e.exec.call(this,r);if(t){t.groups=buildGroups(t,this);var p=t.indices;p&&(p.groups=buildGroups(p,this))}return t},BabelRegExp.prototype[Symbol.replace]=function(t,p){if("string"==typeof p){var o=r.get(this);return e[Symbol.replace].call(this,t,p.replace(/\\$<([^>]+)(>|$)/g,(function(e,r,t){if(""===t)return e;var p=o[r];return Array.isArray(p)?"$"+p.join("$"):"number"==typeof p?"$"+p:""})))}if("function"==typeof p){var i=this;return e[Symbol.replace].call(this,t,(function(){var e=arguments;return"object"!=typeof e[e.length-1]&&(e=[].slice.call(e)).push(buildGroups(e,i)),p.apply(this,e)}))}return e[Symbol.replace].call(this,t,p)},_wrapRegExp.apply(this,arguments)}',
     {
       globals: ["RegExp", "WeakMap", "Object", "Symbol", "Array"],
       locals: {
diff --git a/packages/babel-helpers/src/helpers/wrapRegExp.ts b/packages/babel-helpers/src/helpers/wrapRegExp.ts
@@ -5,7 +5,7 @@ import inherits from "./inherits.ts";
 
 // Define interfaces for clarity and type safety
 interface GroupMap {
-  [key: string]: string | [number, number];
+  [key: string]: number | [number, number];
 }
 
 declare class BabelRegExp extends RegExp {
@@ -72,9 +72,18 @@ export default function _wrapRegExp(this: any): RegExp {
       ).call(
         this,
         str,
-        substitution.replace(/\$<([^>]+)>/g, function (_, name) {
-          var group = groups[name];
-          return "$" + (Array.isArray(group) ? group.join("$") : group);
+        substitution.replace(/\$<([^>]+)(>|$)/g, function (match, name, end) {
+          if (end === "") {
+            // return unterminated group name as-is
+            return match;
+          } else {
+            var group = groups[name];
+            return Array.isArray(group)
+              ? "$" + group.join("$")
+              : typeof group === "number"
+                ? "$" + group
+                : "";
+          }
         }),
       );
     } else if (typeof substitution === "function") {
@@ -116,13 +125,10 @@ export default function _wrapRegExp(this: any): RegExp {
       if (typeof i === "number") groups[name] = result[i];
       else {
         var k = 0;
-        while (
-          result[(i as [number, number])[k]] === undefined &&
-          k + 1 < i.length
-        ) {
+        while (result[i[k]] === undefined && k + 1 < i.length) {
           k++;
         }
-        groups[name] = result[(i as [number, number])[k]];
+        groups[name] = result[i[k]];
       }
       return groups;
     }, Object.create(null));
diff --git a/packages/babel-runtime-corejs3/helpers/esm/wrapRegExp.js b/packages/babel-runtime-corejs3/helpers/esm/wrapRegExp.js
@@ -42,9 +42,10 @@ function _wrapRegExp() {
   }, BabelRegExp.prototype[_Symbol$replace] = function (t, p) {
     if ("string" == typeof p) {
       var o = r.get(this);
-      return e[_Symbol$replace].call(this, t, p.replace(/\$<([^>]+)>/g, function (e, r) {
-        var t = o[r];
-        return "$" + (_Array$isArray(t) ? t.join("$") : t);
+      return e[_Symbol$replace].call(this, t, p.replace(/\$<([^>]+)(>|$)/g, function (e, r, t) {
+        if ("" === t) return e;
+        var p = o[r];
+        return _Array$isArray(p) ? "$" + p.join("$") : "number" == typeof p ? "$" + p : "";
       }));
     }
     if ("function" == typeof p) {
diff --git a/packages/babel-runtime/test/package.json b/packages/babel-runtime/test/package.json
@@ -0,0 +1,3 @@
+{
+  "type": "module"
+}
diff --git a/packages/babel-runtime/test/unittests/wrapRegExp.test.js b/packages/babel-runtime/test/unittests/wrapRegExp.test.js
@@ -0,0 +1,122 @@
+import wrapRegExp from "../../helpers/wrapRegExp.js";
+
+describe("wrapRegExp", () => {
+  describe("should handle maliciously crafted substitutions", () => {
+    it("$<$<...$<group", () => {
+      const pattern = "(foo)";
+      const groups = { group: 1 };
+      const myRegExp = wrapRegExp(pattern, groups);
+      const targetStr = "foofoo";
+      const replacement = "$<".repeat(1e5) + "group";
+      const startTime = Date.now();
+      const result = myRegExp[Symbol.replace](targetStr, replacement);
+      // This test will fail if 2000ms is passed
+      const timeTaken = Date.now() - startTime;
+      expect(timeTaken).toBeLessThan(2000);
+      expect(result).toBe(replacement + "foo");
+    });
+
+    it("$<$<...$<group>", () => {
+      const pattern = "(foo)";
+      const groups = { group: 1 };
+      const myRegExp = wrapRegExp(pattern, groups);
+      const targetStr = "foofoo";
+      const replacement = "$<".repeat(1e5) + "group>";
+      const startTime = Date.now();
+      const result = myRegExp[Symbol.replace](targetStr, replacement);
+      // This test will fail if 2000ms is passed
+      const timeTaken = Date.now() - startTime;
+      expect(timeTaken).toBeLessThan(2000);
+      expect(result).toBe("foo");
+    });
+
+    it("$<g$<g...$<group", () => {
+      const pattern = "(foo)";
+      const groups = { group: 1 };
+      const myRegExp = wrapRegExp(pattern, groups);
+      const targetStr = "foofoo";
+      const replacement = "$<g".repeat(1e5) + "group";
+      const startTime = Date.now();
+      const result = myRegExp[Symbol.replace](targetStr, replacement);
+      // This test will fail if 2000ms is passed
+      const timeTaken = Date.now() - startTime;
+      expect(timeTaken).toBeLessThan(2000);
+      expect(result).toBe(replacement + "foo");
+    });
+
+    it("$<g$<g...$<group>", () => {
+      const pattern = "(foo)";
+      const groups = { group: 1 };
+      const myRegExp = wrapRegExp(pattern, groups);
+      const targetStr = "foofoo";
+      const replacement = "$<g".repeat(1e5) + "group>";
+      const startTime = Date.now();
+      const result = myRegExp[Symbol.replace](targetStr, replacement);
+      // This test will fail when 2000ms is passed
+      const timeTaken = Date.now() - startTime;
+      expect(timeTaken).toBeLessThan(2000);
+      expect(result).toBe("foo");
+    });
+
+    it("$<_$>", () => {
+      const pattern = "(foo)";
+      const groups = { _$: 1 };
+      const myRegExp = wrapRegExp(pattern, groups);
+      const targetStr = "foobar";
+      const replacement = "$<_$>$<_$>";
+      const result = myRegExp[Symbol.replace](targetStr, replacement);
+      expect(result).toBe("foofoobar");
+    });
+
+    it("$<hasOwnProperty>", () => {
+      const pattern = "(foo)";
+      const groups = { hasOwnProperty: 1 };
+      const myRegExp = wrapRegExp(pattern, groups);
+      const targetStr = "foobar";
+      const replacement = "$<hasOwnProperty>";
+      const result = myRegExp[Symbol.replace](targetStr, replacement);
+      expect(result).toBe("foobar");
+    });
+
+    it("$<__proto__>", () => {
+      const pattern = "(foo)";
+      const groups = { ["__proto__"]: 1 };
+      const myRegExp = wrapRegExp(pattern, groups);
+      const targetStr = "foobar";
+      const replacement = "$<__proto__>";
+      const result = myRegExp[Symbol.replace](targetStr, replacement);
+      expect(result).toBe("foobar");
+    });
+  });
+  describe("substitutions", () => {
+    it("unknown group", () => {
+      const pattern = "(foo)";
+      const groups = { group: 1 };
+      const myRegExp = wrapRegExp(pattern, groups);
+      const targetStr = "foobar";
+      const replacement = "$<UNKNOWN>";
+      const result = myRegExp[Symbol.replace](targetStr, replacement);
+      expect(result).toBe("bar");
+    });
+
+    it("$<hasOwnProperty> - unknown group", () => {
+      const pattern = "(foo)";
+      const groups = { group: 1 };
+      const myRegExp = wrapRegExp(pattern, groups);
+      const targetStr = "foobar";
+      const replacement = "$<hasOwnProperty>";
+      const result = myRegExp[Symbol.replace](targetStr, replacement);
+      expect(result).toBe("bar");
+    });
+
+    it("$<__proto__> -- unknown group", () => {
+      const pattern = "(foo)";
+      const groups = { group: 1 };
+      const myRegExp = wrapRegExp(pattern, groups);
+      const targetStr = "foobar";
+      const replacement = "$<__proto__>";
+      const result = myRegExp[Symbol.replace](targetStr, replacement);
+      expect(result).toBe("bar");
+    });
+  });
+});
