fix(security): remove remaining regex redos paths (#111)

Author: anand-testcompare

packages/shopify-cable-source/src/connector-text.test.ts

@@ -0,0 +1,35 @@
+import { describe, expect, it } from "bun:test";
+import {
+  collectNormalizedConnectors,
+  extractConnectorPairFromText,
+} from "./connector-text";
+
+describe("extractConnectorPairFromText", () => {
+  it("parses USB-C to USB-C titles without regex backtracking", () => {
+    expect(extractConnectorPairFromText("USB-C to USB-C Cable")).toEqual({
+      from: "USB-C",
+      matchedText: "usb c to usb c",
+      to: "USB-C",
+    });
+  });
+
+  it("normalizes Thunderbolt connectors to USB-C physical endpoints", () => {
+    expect(
+      extractConnectorPairFromText("Thunderbolt 5 to USB-C Pro Cable")
+    ).toEqual({
+      from: "USB-C",
+      matchedText: "thunderbolt 5 to usb c",
+      to: "USB-C",
+    });
+  });
+});
+
+describe("collectNormalizedConnectors", () => {
+  it("deduplicates normalized connectors from free text", () => {
+    expect(
+      collectNormalizedConnectors(
+        "Works with USB-C, Thunderbolt 4, and Lightning accessories."
+      )
+    ).toEqual(["USB-C", "Lightning"]);
+  });
+});

packages/shopify-cable-source/src/connector-text.ts

@@ -0,0 +1,216 @@
+interface ConnectorPairMatch {
+  from: string;
+  matchedText: string;
+  to: string;
+}
+
+interface ConnectorTokenMatch {
+  connector: string;
+  matchedText: string;
+  nextIndex: number;
+}
+
+const createConnectorTokenMatch = (
+  connector: string,
+  matchedText: string,
+  nextIndex: number
+): ConnectorTokenMatch => {
+  return {
+    connector,
+    matchedText,
+    nextIndex,
+  };
+};
+
+const tokenizeConnectorWords = (text: string): string[] => {
+  const words: string[] = [];
+  let current = "";
+
+  for (const character of text.toLowerCase()) {
+    const isDigit = character >= "0" && character <= "9";
+    const isLowercaseLetter = character >= "a" && character <= "z";
+
+    if (isDigit || isLowercaseLetter || character === ".") {
+      current += character;
+      continue;
+    }
+
+    if (current.length > 0) {
+      words.push(current);
+      current = "";
+    }
+  }
+
+  if (current.length > 0) {
+    words.push(current);
+  }
+
+  return words;
+};
+
+const isDigitsOnly = (value: string): boolean => {
+  if (value.length === 0) {
+    return false;
+  }
+
+  for (const character of value) {
+    if (character < "0" || character > "9") {
+      return false;
+    }
+  }
+
+  return true;
+};
+
+const readLightningToken = (
+  words: string[],
+  startIndex: number
+): ConnectorTokenMatch | null => {
+  if (words[startIndex] !== "lightning") {
+    return null;
+  }
+
+  return createConnectorTokenMatch("Lightning", "lightning", startIndex + 1);
+};
+
+const readMicroUsbToken = (
+  words: string[],
+  startIndex: number
+): ConnectorTokenMatch | null => {
+  const current = words[startIndex];
+  if (current === "microusb") {
+    return createConnectorTokenMatch("Micro-USB", "micro usb", startIndex + 1);
+  }
+
+  if (current === "micro" && words[startIndex + 1] === "usb") {
+    return createConnectorTokenMatch("Micro-USB", "micro usb", startIndex + 2);
+  }
+
+  return null;
+};
+
+const readCollapsedUsbToken = (
+  words: string[],
+  startIndex: number
+): ConnectorTokenMatch | null => {
+  const current = words[startIndex];
+  switch (current) {
+    case "usbc":
+      return createConnectorTokenMatch("USB-C", "usb c", startIndex + 1);
+    case "usba":
+      return createConnectorTokenMatch("USB-A", "usb a", startIndex + 1);
+    case "usb3":
+    case "usb3.0":
+      return createConnectorTokenMatch("USB-A", "usb 3.0", startIndex + 1);
+    default:
+      return null;
+  }
+};
+
+const readSplitUsbToken = (
+  words: string[],
+  startIndex: number
+): ConnectorTokenMatch | null => {
+  if (words[startIndex] !== "usb") {
+    return null;
+  }
+
+  const next = words[startIndex + 1];
+  switch (next) {
+    case "c":
+      return createConnectorTokenMatch("USB-C", "usb c", startIndex + 2);
+    case "a":
+      return createConnectorTokenMatch("USB-A", "usb a", startIndex + 2);
+    case "3":
+    case "3.0":
+      return createConnectorTokenMatch("USB-A", "usb 3.0", startIndex + 2);
+    default:
+      return null;
+  }
+};
+
+const readThunderboltToken = (
+  words: string[],
+  startIndex: number
+): ConnectorTokenMatch | null => {
+  const current = words[startIndex];
+  if (!current?.startsWith("thunderbolt")) {
+    return null;
+  }
+
+  const suffix = current.slice("thunderbolt".length);
+  if (isDigitsOnly(suffix)) {
+    return createConnectorTokenMatch(
+      "USB-C",
+      `thunderbolt ${suffix}`,
+      startIndex + 1
+    );
+  }
+
+  const next = words[startIndex + 1];
+  if (next && isDigitsOnly(next)) {
+    return createConnectorTokenMatch(
+      "USB-C",
+      `thunderbolt ${next}`,
+      startIndex + 2
+    );
+  }
+
+  return createConnectorTokenMatch("USB-C", "thunderbolt", startIndex + 1);
+};
+
+const readConnectorToken = (
+  words: string[],
+  startIndex: number
+): ConnectorTokenMatch | null => {
+  return (
+    readLightningToken(words, startIndex) ??
+    readMicroUsbToken(words, startIndex) ??
+    readCollapsedUsbToken(words, startIndex) ??
+    readSplitUsbToken(words, startIndex) ??
+    readThunderboltToken(words, startIndex)
+  );
+};
+
+export const collectNormalizedConnectors = (text: string): string[] => {
+  const connectors = new Set<string>();
+  const words = tokenizeConnectorWords(text);
+
+  for (let index = 0; index < words.length; index += 1) {
+    const token = readConnectorToken(words, index);
+    if (!token) {
+      continue;
+    }
+
+    connectors.add(token.connector);
+    index = token.nextIndex - 1;
+  }
+
+  return [...connectors];
+};
+
+export const extractConnectorPairFromText = (
+  text: string
+): ConnectorPairMatch | null => {
+  const words = tokenizeConnectorWords(text);
+
+  for (let index = 0; index < words.length; index += 1) {
+    const from = readConnectorToken(words, index);
+    if (!from || words[from.nextIndex] !== "to") {
+      continue;
+    }
+
+    const to = readConnectorToken(words, from.nextIndex + 1);
+    if (!to) {
+      continue;
+    }
+
+    return {
+      from: from.connector,
+      matchedText: `${from.matchedText} to ${to.matchedText}`,
+      to: to.connector,
+    };
+  }
+
+  return null;
+};

packages/shopify-cable-source/src/source.ts

@@ -1,3 +1,7 @@
+import {
+  collectNormalizedConnectors,
+  extractConnectorPairFromText,
+} from "./connector-text";
 import { cleanText, normalizeWhitespace } from "./text";
 import type {
   ShopifyCableSourceTemplate,
@@ -156,10 +160,6 @@ class HttpError extends Error {
 
 const NEXT_DATA_SCRIPT_REGEX =
   /<script id="__NEXT_DATA__" type="application\/json">([\s\S]*?)<\/script>/;
-const CONNECTOR_TOKEN_REGEX =
-  /(Thunderbolt\s*\d*|USB[-\s]?C|USB[-\s]?A|USB\s*3\.0|Lightning|Micro[-\s]?USB)/i;
-const CONNECTOR_PAIR_REGEX =
-  /(Thunderbolt\s*\d*|USB[-\s]?C|USB[-\s]?A|USB\s*3\.0|Lightning|Micro[-\s]?USB)\s*to\s*(Thunderbolt\s*\d*|USB[-\s]?C|USB[-\s]?A|USB\s*3\.0|Lightning|Micro[-\s]?USB)/i;
 const THUNDERBOLT_WORD_REGEX = /thunderbolt/i;
 const CABLE_WORD_REGEX = /cable/i;
 const POWER_REGEX = /(\d{1,3}(?:\.\d+)?)\s*W\b/gi;
@@ -213,10 +213,30 @@ const combineUniqueText = (...segments: Array<string | undefined>): string => {
 };
 
 const slugify = (value: string): string => {
-  return value
-    .toLowerCase()
-    .replaceAll(/[^a-z0-9]+/g, "-")
-    .replaceAll(/^-+|-+$/g, "");
+  let output = "";
+  let previousWasSeparator = false;
+
+  for (const character of value.toLowerCase()) {
+    const isDigit = character >= "0" && character <= "9";
+    const isLowercaseLetter = character >= "a" && character <= "z";
+
+    if (isDigit || isLowercaseLetter) {
+      output += character;
+      previousWasSeparator = false;
+      continue;
+    }
+
+    if (!previousWasSeparator && output.length > 0) {
+      output += "-";
+      previousWasSeparator = true;
+    }
+  }
+
+  if (output.endsWith("-")) {
+    return output.slice(0, -1);
+  }
+
+  return output;
 };
 
 const normalizeBrand = (vendor: string, fallbackBrand: string): string => {
@@ -501,63 +521,6 @@ const mapProductJsonToShopifyProduct = (
   };
 };
 
-const normalizeConnectorToken = (token: string): string | null => {
-  const normalized = token.toLowerCase().replace(/\s+/g, "");
-  if (normalized.includes("thunderbolt")) {
-    return "USB-C";
-  }
-  if (normalized.includes("lightning")) {
-    return "Lightning";
-  }
-  if (normalized.includes("micro")) {
-    return "Micro-USB";
-  }
-  if (normalized.includes("usb3.0") || normalized.includes("usb-a")) {
-    return "USB-A";
-  }
-  if (normalized.includes("usb-c") || normalized.includes("usbc")) {
-    return "USB-C";
-  }
-  return null;
-};
-
-const extractConnectorPairFromText = (
-  text: string
-): { from: string; matchedText: string; to: string } | null => {
-  const pairMatch = text.match(CONNECTOR_PAIR_REGEX);
-  if (!(pairMatch?.[1] && pairMatch[2])) {
-    return null;
-  }
-
-  const from = normalizeConnectorToken(pairMatch[1]);
-  const to = normalizeConnectorToken(pairMatch[2]);
-  if (!(from && to)) {
-    return null;
-  }
-
-  return {
-    from,
-    to,
-    matchedText: pairMatch[0],
-  };
-};
-
-const collectNormalizedConnectors = (text: string): string[] => {
-  const connectorMatcher = new RegExp(CONNECTOR_TOKEN_REGEX.source, "gi");
-  const connectors = new Set<string>();
-  let connectorMatch = connectorMatcher.exec(text);
-  while (connectorMatch) {
-    const normalized = normalizeConnectorToken(
-      connectorMatch[1] ?? connectorMatch[0]
-    );
-    if (normalized) {
-      connectors.add(normalized);
-    }
-    connectorMatch = connectorMatcher.exec(text);
-  }
-  return [...connectors];
-};
-
 const parseConnectorPair = (
   title: string,
   contextText: string