From 3912fef6bf654cd11451a0898d784c4e32d37b1b Mon Sep 17 00:00:00 2001
From: Neal Poole <neal@fb.com>
Date: Thu, 29 Apr 2021 14:51:29 -0700
Subject: [PATCH] Update validateBaseUrl to use latest regex

Summary:
Updating the regex to avoid a potential regular expression denial-of-service vulnerability.

Changelog: Update validateBaseUrl to use a more robust regular expression. Fixes CVE-2020-1920, GHSL-2020-293

Reviewed By: lunaleaps

Differential Revision: D25507604

fbshipit-source-id: c36a03c456881bc655c861e1a2c5cd41a7127c9d
---
 Libraries/Blob/URL.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Libraries/Blob/URL.js b/Libraries/Blob/URL.js
index bf9ab01bf1a..62c31ea2e64 100644
--- a/Libraries/Blob/URL.js
+++ b/Libraries/Blob/URL.js
@@ -107,7 +107,7 @@ export class URLSearchParams {
 
 function validateBaseUrl(url: string) {
   // from this MIT-licensed gist: https://gist.github.com/dperini/729294
-  return /^(?:(?:(?:https?|ftp):)?\/\/)(?:(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\u00a1-\uffff0-9]-*)*[a-z\u00a1-\uffff0-9]+)(?:\.(?:[a-z\u00a1-\uffff0-9]-*)*[a-z\u00a1-\uffff0-9]+)*(?:\.(?:[a-z\u00a1-\uffff]{2,}))?)(?::\d{2,5})?(?:[/?#]\S*)?$/i.test(
+  return /^(?:(?:(?:https?|ftp):)?\/\/)(?:(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u00a1-\uffff][a-z0-9\u00a1-\uffff_-]{0,62})?[a-z0-9\u00a1-\uffff]\.)*(?:[a-z\u00a1-\uffff]{2,}\.?))(?::\d{2,5})?(?:[/?#]\S*)?$/.test(
     url,
   );
 }