fix(@angular-devkit/build-angular): limit error message length to are passed to RegExp.

alan-agius4 · alan-agius4 · commit a082d54bb97b · 2023-02-24T12:40:38.000Z
Webpack errors can sometimes be several hundred of thousands of characters long as it may contain the entire bundle. This can cause a ReDoS, this change limits the message that is passed to the RegExp to 2000 characters. Closes angular#24771
diff --git a/packages/angular_devkit/build_angular/src/webpack/utils/stats.ts b/packages/angular_devkit/build_angular/src/webpack/utils/stats.ts
@@ -414,7 +414,7 @@ export function statsErrorsToString(
       // See: https://github.com/webpack/webpack/issues/15980
       const message = statsConfig.errorStack
         ? error.message
-        : /[\s\S]+?(?=\n+\s+at\s)/.exec(error.message)?.[0] ?? error.message;
+        : /[\s\S]+?(?=\n+\s+at\s)/.exec(error.message.substring(0, 2000))?.[0] ?? error.message;
 
       if (!/^error/i.test(message)) {
         output += r('Error: ');
