Skip to content

[20.3.x] fix(common): add upper bounds for digitsInfo #68890

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
JeanMeche wants to merge 1 commit into
base: 20.3.x
Choose a base branch
from
+28 −2
Open

[20.3.x] fix(common): add upper bounds for digitsInfo #68890

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 15 additions & 1 deletion packages/common/src/i18n/format_number.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,14 @@

import {ɵRuntimeError as RuntimeError} from '@angular/core';

import {RuntimeErrorCode} from '../errors';
import {
getLocaleNumberFormat,
getLocaleNumberSymbol,
getNumberOfCurrencyDigits,
NumberFormatStyle,
NumberSymbol,
} from './locale_data_api';
import {RuntimeErrorCode} from '../errors';

export const NUMBER_FORMAT_REGEXP = /^(\d+)?\.((\d+)(-(\d+))?)?$/;
const MAX_DIGITS = 22;
Expand Down Expand Up @@ -77,6 +77,20 @@ function formatNumberToLocaleString(
} else if (minFractionPart != null && minFraction > maxFraction) {
maxFraction = minFraction;
}

// Prevent DoS via resource exhaustion by capping the maximum padding iterations
const MAX_ALLOWED_DIGITS = 100;
if (
minInt > MAX_ALLOWED_DIGITS ||
minFraction > MAX_ALLOWED_DIGITS ||
maxFraction > MAX_ALLOWED_DIGITS
) {
throw new RuntimeError(
RuntimeErrorCode.INVALID_DIGIT_INFO,
ngDevMode &&
`${digitsInfo} is not a valid digit info. Exceeded maximum limits of ${MAX_ALLOWED_DIGITS} digits.`,
);
}
}

roundNumber(parsedNumber, minFraction, maxFraction);
Expand Down
14 changes: 13 additions & 1 deletion packages/common/test/i18n/format_number_spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,12 @@
* found in the LICENSE file at https://angular.dev/license
*/

import {ɵDEFAULT_LOCALE_ID, ɵregisterLocaleData, ɵunregisterLocaleData} from '@angular/core';
import {formatCurrency, formatNumber, formatPercent} from '../../index';
import localeAr from '../../locales/ar';
import localeEn from '../../locales/en';
import localeEsUS from '../../locales/es-US';
import localeFr from '../../locales/fr';
import {ɵDEFAULT_LOCALE_ID, ɵregisterLocaleData, ɵunregisterLocaleData} from '@angular/core';

describe('Format number', () => {
beforeAll(() => {
Expand Down Expand Up @@ -43,6 +43,18 @@ describe('Format number', () => {
/is higher than the maximum/,
);
});

it('should throw if minInt, minFraction, or maxFraction exceeds 100 to prevent DoS', () => {
const expectedError = /Exceeded maximum limits of 100 digits/;
expect(() => formatNumber(1.1, ɵDEFAULT_LOCALE_ID, '101.4-5')).toThrowError(expectedError);
expect(() => formatNumber(1.1, ɵDEFAULT_LOCALE_ID, '3.101-105')).toThrowError(
expectedError,
);
expect(() => formatNumber(1.1, ɵDEFAULT_LOCALE_ID, '3.4-101')).toThrowError(expectedError);
expect(() => formatNumber(1.1, ɵDEFAULT_LOCALE_ID, '1.2000000000-20000000')).toThrowError(
expectedError,
);
});
});

describe('transform with custom locales', () => {
Expand Down
Loading