[core] Potential ReDoS Vulnerability in init.js: Inefficient Regex May Cause Denial of Service

client/commonFramework/bindings.js

@@ -21,6 +21,11 @@ window.common = (function(global) {
   };
 
   common.init.push(function($) {
+    function stripTrailingHashes(url) {
+      let i = url.length - 1;
+      while (i >= 0 && url[i] === '#') i--;
+      return url.slice(0, i + 1);
+    }
 
     var $marginFix = $('.innerMarginFix');
     $marginFix.css('min-height', $marginFix.height());
@@ -179,10 +184,9 @@ window.common = (function(global) {
     });
 
     $('#search-issue').on('click', function() {
-      var queryIssue = window.location.href
-        .toString()
-        .split('?')[0]
-        .replace(/(#*)$/, '');
+      var queryIssue = stripTrailingHashes(
+        window.location.href.toString().split('?')[0]
+      );
       window.open(
         'https://github.com/freecodecampchina/freecodecamp.cn/issues?q=' +
         'is:issue is:all ' +
@@ -196,4 +200,4 @@ window.common = (function(global) {
   });
 
   return common;
-}(window));
+}(window));

client/commonFramework/init.js

@@ -46,13 +46,13 @@ window.common = (function(global) {
   };
 
   common.replaceFormActionAttr = function replaceFormAction(value) {
-    return value.replace(/<form[^>]*>/, function(val) {
+    return value.replace(/<form(?!<form)[^>]*>/, function(val) {
       return val.replace(/action(\s*?)=/, 'fccfaa$1=');
     });
   };
 
   common.replaceFccfaaAttr = function replaceFccfaaAttr(value) {
-    return value.replace(/<form[^>]*>/, function(val) {
+    return value.replace(/<form(?!<form)[^>]*>/, function(val) {
       return val.replace(/fccfaa(\s*?)=/, 'action$1=');
     });
   };

package.json

@@ -21,7 +21,8 @@
     "lint-json": "npm run lint-server && npm run lint-challenges && npm run lint-resources && npm run lint-utils",
     "test-challenges": "babel-node seed/test-challenges.js | tap-spec",
     "pretest": "npm run lint",
-    "test": "npm run test-challenges"
+    "test": "npm run test-challenges",
+    "test-redos": "mocha test/commonFramework/bindings.test.js"
   },
   "license": "(BSD-3-Clause AND CC-BY-SA-4.0)",
   "dependencies": {

test/commonFramework/bindings.test.js

@@ -0,0 +1,45 @@
+// test/bindings.test.js
+const { expect } = require('chai');
+const { performance } = require('perf_hooks');
+
+// 安全替代函数
+function stripTrailingHashes(url) {
+  let i = url.length - 1;
+  while (i >= 0 && url[i] === '#') i--;
+  return url.slice(0, i + 1);
+}
+
+// 模拟原版逻辑（用于对比测试）
+function originalReplace(url) {
+  return url.replace(/#+$/, '');
+}
+
+describe('✅ stripTrailingHashes replacement test', function () {
+  this.timeout(10000); // 最多允许10秒运行
+
+  it('should match behavior of original regex for normal cases', () => {
+    const cases = [
+      ["https://a.com/page#", "https://a.com/page"],
+      ["https://a.com/page###", "https://a.com/page"],
+      ["https://a.com/page#section", "https://a.com/page#section"],
+      ["https://a.com/page#section#", "https://a.com/page#section"],
+      ["https://a.com/page", "https://a.com/page"],
+    ];
+
+    for (const [input, expected] of cases) {
+      expect(stripTrailingHashes(input)).to.equal(expected);
+      expect(stripTrailingHashes(input)).to.equal(originalReplace(input));
+    }
+  });
+
+  it('should not hang on malicious long string input', () => {
+    const attack = '#'.repeat(100000) + '@';
+    const testUrl = 'https://a.com/' + attack;
+    const t0 = performance.now();
+    const result = stripTrailingHashes(testUrl);
+    const t1 = performance.now();
+    const duration = (t1 - t0) / 1000;
+    console.log(`⏱️ safeReplace() 执行耗时：${duration.toFixed(3)} s`);
+    expect(duration).to.be.lessThan(1); // 应该非常快（毫秒级）
+  });
+});