From 81a03ef757dfb98fa6f18fdbc43b65008721ad34 Mon Sep 17 00:00:00 2001
From: Chaitanya Mankala <chaithanya.mankala@gmail.com>
Date: Thu, 17 Jul 2025 17:27:41 +0530
Subject: [PATCH] [fix] Vulnerability GHSA-x5gf-qvw8-r2rm

---
 lib/tools/Config.js | 68 +++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 62 insertions(+), 6 deletions(-)

diff --git a/lib/tools/Config.js b/lib/tools/Config.js
index 952e740763..2d5cb7f303 100644
--- a/lib/tools/Config.js
+++ b/lib/tools/Config.js
@@ -139,6 +139,59 @@ Config.validateJSON = function(json){
   return {errors: this._errors, config: res};
 };
 
+/**
+ * Safe string parsing function to replace vulnerable regex
+ * @param {String} str - String to parse
+ * @returns {Array} - Parsed tokens
+ * @private
+ */
+Config._parseStringToArray = function(str) {
+  var result = [];
+  var current = '';
+  var inQuotes = false;
+  var quoteChar = '';
+  var i = 0;
+  
+  // Add length check to prevent excessive processing
+  if (str.length > 10000) {
+    throw new Error('String too long for parsing');
+  }
+  
+  while (i < str.length) {
+    var char = str[i];
+    
+    if (!inQuotes) {
+      if (char === '"' || char === "'") {
+        inQuotes = true;
+        quoteChar = char;
+        current += char;
+      } else if (/\s/.test(char)) {
+        if (current.trim()) {
+          result.push(current.trim());
+          current = '';
+        }
+      } else {
+        current += char;
+      }
+    } else {
+      current += char;
+      if (char === quoteChar && str[i - 1] !== '\\') {
+        inQuotes = false;
+        quoteChar = '';
+      }
+    }
+    i++;
+  }
+  
+  if (current.trim()) {
+    result.push(current.trim());
+  }
+  
+  return result.filter(function(v) {
+    return v && v.length > 0;
+  });
+};
+
 /**
  * Validate key-value pairs by specific schema
  * @param {String} key
@@ -198,13 +251,16 @@ Config._valid = function(key, value, sch){
   }
 
   // If first type is Array, but current is String, try to split them.
+  // FIXED: Replace vulnerable regex with safe parsing function
   if(scht.length > 1 && type != scht[0] && type == '[object String]'){
     if(scht[0] == '[object Array]') {
-      // unfortunately, js does not support lookahead RegExp (/(?<!\\)\s+/) now (until next ver).
-      value = value.split(/([\w\-]+\="[^"]*")|([\w\-]+\='[^']*')|"([^"]*)"|'([^']*)'|\s/)
-        .filter(function(v){
-          return v && v.trim();
-        });
+      try {
+        value = this._parseStringToArray(value);
+      } catch (e) {
+        // If parsing fails, treat as validation error
+        this._error(true, 'type', key, scht.join(' / '), 'Invalid string format');
+        return null;
+      }
     }
   }
 
@@ -244,4 +300,4 @@ Config._error = function(possible, type){
     this._errors && this._errors.push(util.format.apply(null, args));
   }
   return possible;
-}
+}
\ No newline at end of file