fix(commons): fix metadata regular expressions

[delatrie]

Context

The PR fixes Polynomial regular expression used on uncontrolled data code scan error.

The expression in question is /@?allure.label.(?<name>[^\s]+?)[:=](?<value>[^\s]+)/. Due to how the default regexp engine is implemented in Node.js, it may have polynomial complexity on some inputs.

Example

Here, we test the regular expression against a string allure.label. followed by multiple occurrences of allure.label.!. The engine scans the string from its beginning to the end until it finds out it doesn't match. The backtracking is then engaged, and the engine starts over, this time from the 14th char ('a' in the second allure.label).

The process repeats until all repetitions of allure.label are handled, yielding the O(n*m) complexity, where n is the total length of the string, and m is the number of allure.label. occurrences in the string.

This can be illustrated with the following code:

const createTest = (pattern, prefix, repetitivePart) =>
  (n) => {
    const input = (prefix + new Array(n).fill(repetitivePart).join(""));
    const start = Date.now();
    const result = input.match(pattern);
    const duration = Date.now() - start;
    return { duration: `${duration}ms`, result: result };
  };

const test = createTest(/@?allure.label.(?<name>[^\s]+?)[:=](?<value>[^\s]+)/, "allure.label.", "allure.label.!");

test(10000);
test(20000);

{ duration: '1266ms', result: null }
{ duration: '5052ms', result: null }

Here, doubling the input length gives us x4 increase in the total parsing time.

Change

In this particular case, the regular expression's performance can be fixed by anchoring the expression to the initial position:

export const allureLabelRegexp = /(?:^|\s)@?allure\.label\.(?<name>[^:=\s]+)[:=](?<value>[^\s]+)/;

Now, the following two facts are true about this regular expression:

1. A matched string cannot contain a whitespace character (that was also the case previously).
2. A matched string is bound to either the beginning of the input or to a preceding whitespace character.

Together, those give us the complexity of O(n) because once an attempt to match fails, the engine continues from the next character of the input without backtracking.

Behaviour changes

1. The new expression extracts the preceding whitespace character from the title:
   Before:

   expect(extractMetadataFromString("foo @allure.id:1 bar").cleanTitle).toBe("foo  bar") // two whitespaces between foo and bar

   After:

   expect(extractMetadataFromString("foo @allure.id:1 bar").cleanTitle).toBe("foo bar") // one whitespace between foo and bar

2. The new expression doesn't match against strings like "foo@allure.id:10". A whitespace is mandatory now. We may work this around by anchoring the pattern to the @ character as well, but that would also require us to exclude it from both label names and values. Otherwise, the same polynomial complexity problem occurs.

Extra changes

• the PR adds a test suite for extractMetadataFromString.

Checklist

• Sign Allure CLA
• Provide unit tests