fix(@angular-devkit/build-angular): limit error message length to are…

… passed to RegExp. Webpack errors can sometimes be several hundred of thousands of characters long as it may contain the entire bundle. This can cause a ReDoS, this change limits the message that is passed to the RegExp to 2000 characters. Closes angular#24771
alan-agius4 · Feb 24, 2023 · a082d54 · a082d54
1 parent 6335cf9
commit a082d54
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/packages/angular_devkit/build_angular/src/webpack/utils/stats.ts b/packages/angular_devkit/build_angular/src/webpack/utils/stats.ts
@@ -414,7 +414,7 @@ export function statsErrorsToString(
       // See: https://github.com/webpack/webpack/issues/15980
       const message = statsConfig.errorStack
         ? error.message
-        : /[\s\S]+?(?=\n+\s+at\s)/.exec(error.message)?.[0] ?? error.message;
+        : /[\s\S]+?(?=\n+\s+at\s)/.exec(error.message.substring(0, 2000))?.[0] ?? error.message;
 
       if (!/^error/i.test(message)) {
         output += r('Error: ');