diff --git a/ghost/core/core/server/services/custom-redirects/validation.js b/ghost/core/core/server/services/custom-redirects/validation.js index 1107a01c42..aaba74b0f7 100644 --- a/ghost/core/core/server/services/custom-redirects/validation.js +++ b/ghost/core/core/server/services/custom-redirects/validation.js @@ -1,7 +1,6 @@ const _ = require('lodash'); const tpl = require('@tryghost/tpl'); const errors = require('@tryghost/errors'); -const {isSafePattern} = require('redos-detector'); const messages = { redirectsWrongFormat: 'Incorrect redirects file format.', @@ -34,35 +33,18 @@ const validate = (redirects) => { if (!redirect.from || !redirect.to) { throw new errors.ValidationError({ message: tpl(messages.redirectsWrongFormat), + context: redirect, help: tpl(messages.redirectsHelp) }); } - // Ensure valid regex try { + // each 'from' property should be a valid RegExp string new RegExp(redirect.from); } catch (error) { throw new errors.ValidationError({ message: tpl(messages.invalidRedirectsFromRegex), - errorDetails: { - redirect, - invalid: true - }, - help: tpl(messages.redirectsHelp) - }); - } - - // Ensure safe regex - const analysis = isSafePattern(redirect.from); - - if (analysis.safe === false) { - throw new errors.ValidationError({ - message: tpl(messages.invalidRedirectsFromRegex), - errorDetails: { - redirect, - unsafe: true, - reason: analysis.error - }, + context: redirect, help: tpl(messages.redirectsHelp) }); } diff --git a/ghost/core/package.json b/ghost/core/package.json index 19fe173c91..100c625712 100644 --- a/ghost/core/package.json +++ b/ghost/core/package.json @@ -219,7 +219,6 @@ "node-jose": "2.2.0", "path-match": "1.2.4", "probe-image-size": "7.2.3", - "redos-detector": "5.1.0", "rss": "1.2.2", "sanitize-html": "2.13.0", "semver": "7.6.2", diff --git a/ghost/core/test/unit/server/services/custom-redirects/validation.test.js b/ghost/core/test/unit/server/services/custom-redirects/validation.test.js index a0e61861b9..a3a6f35b7a 100644 --- a/ghost/core/test/unit/server/services/custom-redirects/validation.test.js +++ b/ghost/core/test/unit/server/services/custom-redirects/validation.test.js @@ -39,26 +39,6 @@ describe('UNIT: custom redirects validation', function () { should.fail('should have thrown'); } catch (err) { err.message.should.equal('Incorrect RegEx in redirects file.'); - err.errorDetails.redirect.should.equal(config[0]); - err.errorDetails.invalid.should.be.true(); - } - }); - - it('throws for an invalid redirects config having unsafe RegExp in from field', function () { - const config = [{ - permanent: true, - from: '^\/episodes\/([a-z0-9-]+)+\/$', // Unsafe due to the surplus + at the end causing infinite backtracking - to: '/' - }]; - - try { - validate(config); - should.fail('should have thrown'); - } catch (err) { - err.message.should.equal('Incorrect RegEx in redirects file.'); - err.errorDetails.redirect.should.equal(config[0]); - err.errorDetails.unsafe.should.be.true(); - err.errorDetails.reason.should.equal('hitMaxBacktracks'); } }); diff --git a/yarn.lock b/yarn.lock index 0a6bcc9b88..66865bba0c 100644 --- a/yarn.lock +++ b/yarn.lock @@ -27694,13 +27694,6 @@ redis-parser@^3.0.0: dependencies: redis-errors "^1.0.0" -redos-detector@5.1.0: - version "5.1.0" - resolved "https://registry.yarnpkg.com/redos-detector/-/redos-detector-5.1.0.tgz#67660c896a48490e80b35557f876a529680f0f8d" - integrity sha512-08en/ij0//HwKZdKlelRZGQKmQhmKMQPVJPD+1THfYm64mZhLPOG0NBa47+DrOF53DyaRsCFyD7JHJaYITnt9g== - dependencies: - regjsparser "0.10.0" - reflect-metadata@0.1.14: version "0.1.14" resolved "https://registry.yarnpkg.com/reflect-metadata/-/reflect-metadata-0.1.14.tgz#24cf721fe60677146bb77eeb0e1f9dece3d65859" @@ -27822,13 +27815,6 @@ regjsgen@^0.2.0: resolved "https://registry.yarnpkg.com/regjsgen/-/regjsgen-0.2.0.tgz#6c016adeac554f75823fe37ac05b92d5a4edb1f7" integrity sha512-x+Y3yA24uF68m5GA+tBjbGYo64xXVJpbToBaWCoSNSc1hdk6dfctaRWrNFTVJZIIhL5GxW8zwjoixbnifnK59g== -regjsparser@0.10.0: - version "0.10.0" - resolved "https://registry.yarnpkg.com/regjsparser/-/regjsparser-0.10.0.tgz#b1ed26051736b436f22fdec1c8f72635f9f44892" - integrity sha512-qx+xQGZVsy55CH0a1hiVwHmqjLryfh7wQyF5HO07XJ9f7dQMY/gPQHhlyDkIzJKC+x2fUCpCcUODUUUFrm7SHA== - dependencies: - jsesc "~0.5.0" - regjsparser@^0.1.4: version "0.1.5" resolved "https://registry.yarnpkg.com/regjsparser/-/regjsparser-0.1.5.tgz#7ee8f84dc6fa792d3fd0ae228d24bd949ead205c"