From 3f834389ee6da70542fd35220d97438890f7200f Mon Sep 17 00:00:00 2001 From: mmmsssttt404 <931121963@qq.com> Date: Wed, 30 Jul 2025 13:45:17 +0800 Subject: [PATCH 1/4] Update constant.js --- src/constant.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/constant.js b/src/constant.js index 22d6e8adc..67994901e 100644 --- a/src/constant.js +++ b/src/constant.js @@ -27,4 +27,4 @@ export const INVALID_DATE_STRING = 'Invalid Date' // regex export const REGEX_PARSE = /^(\d{4})[-/]?(\d{1,2})?[-/]?(\d{0,2})[Tt\s]*(\d{1,2})?:?(\d{1,2})?:?(\d{1,2})?[.:]?(\d+)?$/ -export const REGEX_FORMAT = /\[([^\]]+)]|Y{1,4}|M{1,4}|D{1,2}|d{1,4}|H{1,2}|h{1,2}|a|A|m{1,2}|s{1,2}|Z{1,2}|SSS/g +export const REGEX_FORMAT = /\[(?!\[)([^\]]+)]|Y{1,4}|M{1,4}|D{1,2}|d{1,4}|H{1,2}|h{1,2}|a|A|m{1,2}|s{1,2}|Z{1,2}|SSS/g From 17180cf3bfe1f83a884b3fc591657e0c08061e77 Mon Sep 17 00:00:00 2001 From: mmmsssttt404 <931121963@qq.com> Date: Wed, 30 Jul 2025 13:46:10 +0800 Subject: [PATCH 2/4] Update utils.js --- src/plugin/localizedFormat/utils.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/plugin/localizedFormat/utils.js b/src/plugin/localizedFormat/utils.js index b6284d8e9..d002a954b 100644 --- a/src/plugin/localizedFormat/utils.js +++ b/src/plugin/localizedFormat/utils.js @@ -1,6 +1,6 @@ // eslint-disable-next-line import/prefer-default-export export const t = format => - format.replace(/(\[[^\]]+])|(MMMM|MM|DD|dddd)/g, (_, a, b) => a || b.slice(1)) + format.replace(/(\[(?!\[)[^\]]+])|(MMMM|MM|DD|dddd)/g, (_, a, b) => a || b.slice(1)) export const englishFormats = { LTS: 'h:mm:ss A', @@ -11,7 +11,7 @@ export const englishFormats = { LLLL: 'dddd, MMMM D, YYYY h:mm A' } -export const u = (formatStr, formats) => formatStr.replace(/(\[[^\]]+])|(LTS?|l{1,4}|L{1,4})/g, (_, a, b) => { +export const u = (formatStr, formats) => formatStr.replace(/(\[(?!\[)[^\]]+])|(LTS?|l{1,4}|L{1,4})/g, (_, a, b) => { const B = b && b.toUpperCase() return a || formats[b] || englishFormats[b] || t(formats[B]) }) From 61a44ff1b253daa80e34043bb7be4b2e752b18b2 Mon Sep 17 00:00:00 2001 From: mmmsssttt404 <931121963@qq.com> Date: Wed, 30 Jul 2025 13:46:51 +0800 Subject: [PATCH 3/4] Update localizedFormat.test.js --- test/plugin/localizedFormat.test.js | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/test/plugin/localizedFormat.test.js b/test/plugin/localizedFormat.test.js index da5b219e0..3fe16ce36 100644 --- a/test/plugin/localizedFormat.test.js +++ b/test/plugin/localizedFormat.test.js @@ -116,3 +116,12 @@ it('Uses the localized uppercase formats as a base for lowercase formats, if not expect(spanishDate.format(option)).toBe(spanishDate.format(adaptedFormat)) }) }) + +it('ReDos attack', () => { + const longFmt = '['.repeat(100000) + '\u0000' + const start = Date.now() + const output = dayjs().format(longFmt) + const elapsed = Date.now() - start + expect(output).toBe(longFmt) + expect(elapsed).toBeLessThan(3000) +}) From a6b0f1da9dba76d6beec6573d188f6aa74fca225 Mon Sep 17 00:00:00 2001 From: mmmsssttt404 <931121963@qq.com> Date: Wed, 6 Aug 2025 12:02:45 +0800 Subject: [PATCH 4/4] Update constant.js --- src/constant.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/constant.js b/src/constant.js index 67994901e..ae555891e 100644 --- a/src/constant.js +++ b/src/constant.js @@ -27,4 +27,4 @@ export const INVALID_DATE_STRING = 'Invalid Date' // regex export const REGEX_PARSE = /^(\d{4})[-/]?(\d{1,2})?[-/]?(\d{0,2})[Tt\s]*(\d{1,2})?:?(\d{1,2})?:?(\d{1,2})?[.:]?(\d+)?$/ -export const REGEX_FORMAT = /\[(?!\[)([^\]]+)]|Y{1,4}|M{1,4}|D{1,2}|d{1,4}|H{1,2}|h{1,2}|a|A|m{1,2}|s{1,2}|Z{1,2}|SSS/g +export const REGEX_FORMAT = /(?![^\[\]])\[([^\[\]]+)]|Y{1,4}|M{1,4}|D{1,2}|d{1,4}|H{1,2}|h{1,2}|a|A|m{1,2}|s{1,2}|Z{1,2}|SSS/g