regex DoS improvements and testing

jentfoo · jentfoo · commit c1f7f08ea101 · 2025-07-18T09:59:53.000-06:00
diff --git a/lib/tdf3/src/utils/unwrap.ts b/lib/tdf3/src/utils/unwrap.ts
@@ -3,7 +3,8 @@ import { InvalidFileError } from '../../../src/errors.js';
 
 export function unwrapHtml(htmlPayload: Uint8Array): Uint8Array {
   const html = new TextDecoder().decode(htmlPayload);
-  const payloadRe = /<input id=['"]?data-input['"]?[^>]*?value=['"]?([a-zA-Z0-9+/=\-_]+?)['"]?/;
+  const payloadRe =
+    /<input\s+[^>]*id=(?:['"]?)data-input(?:['"]?)[^>]*value=(?:['"]?)([a-zA-Z0-9+/=\-_]+)(?:['"]?)/;
   const reResult = payloadRe.exec(html);
   if (!reResult) {
     throw new InvalidFileError('Payload is missing');
diff --git a/lib/tests/mocha/unit/unwrap.spec.ts b/lib/tests/mocha/unit/unwrap.spec.ts
@@ -25,4 +25,46 @@ describe('unwrapHtml', () => {
       'There was a problem extracting the TDF3 payload'
     );
   });
+
+  describe('regex pattern variations', () => {
+    it('should handle double quotes', () => {
+      const htmlPayload = new TextEncoder().encode(
+        '<input id="data-input" type="hidden" value="SGVsbG8gV29ybGQ=">'
+      );
+      const result = unwrapHtml(htmlPayload);
+      expect(new TextDecoder().decode(result)).to.equal('Hello World');
+    });
+
+    it('should handle single quotes', () => {
+      const htmlPayload = new TextEncoder().encode(
+        "<input id='data-input' type='hidden' value='SGVsbG8gV29ybGQ='>"
+      );
+      const result = unwrapHtml(htmlPayload);
+      expect(new TextDecoder().decode(result)).to.equal('Hello World');
+    });
+
+    it('should handle no quotes', () => {
+      const htmlPayload = new TextEncoder().encode(
+        '<input id=data-input type=hidden value=SGVsbG8gV29ybGQ=>'
+      );
+      const result = unwrapHtml(htmlPayload);
+      expect(new TextDecoder().decode(result)).to.equal('Hello World');
+    });
+
+    it('should handle URL-safe base64 characters', () => {
+      const htmlPayload = new TextEncoder().encode(
+        '<input id="data-input" type="hidden" value="SGVsbG8tV29ybGQ_">'
+      );
+      const result = unwrapHtml(htmlPayload);
+      expect(new TextDecoder().decode(result)).to.equal('Hello-World?');
+    });
+
+    it('should handle additional attributes', () => {
+      const htmlPayload = new TextEncoder().encode(
+        '<input class="hidden" id="data-input" data-test="value" type="hidden" value="SGVsbG8gV29ybGQ=">'
+      );
+      const result = unwrapHtml(htmlPayload);
+      expect(new TextDecoder().decode(result)).to.equal('Hello World');
+    });
+  });
 });
