[Validator] Regex bypass when match is false with too big input

Author: vincent4vx

Constraints/RegexValidator.php

@@ -47,7 +47,9 @@ public function validate(mixed $value, Constraint $constraint)
             $value = ($constraint->normalizer)($value);
         }
 
-        if ($constraint->match xor preg_match($constraint->pattern, $value)) {
+        $expectedResult = $constraint->match ? 1 : 0;
+
+        if (preg_match($constraint->pattern, $value) !== $expectedResult) {
             $this->context->buildViolation($constraint->message)
                 ->setParameter('{{ value }}', $this->formatValue($value))
                 ->setParameter('{{ pattern }}', $constraint->pattern)

Tests/Constraints/RegexValidatorTest.php

@@ -152,4 +152,19 @@ public function __toString(): string
             }],
         ];
     }
+
+    public function testMatchFalseWithTooManyBacktrackingShouldNotPass()
+    {
+        $value = '<'.str_repeat('a', 1000000).'<a href="javascript:alert(1)">test</a>';
+        $pattern = '/<script|([^>]*?)(on\w+\s*=\s*(["\']).*?\3|href\s*=\s*(["\'])javascript:.*?\4)[^>]*?>/is';
+        $constraint = new Regex(pattern: $pattern, message: 'myMessage', match: false);
+
+        $this->validator->validate($value, $constraint);
+
+        $this->buildViolation('myMessage')
+            ->setParameter('{{ value }}', '"'.$value.'"')
+            ->setParameter('{{ pattern }}', $pattern)
+            ->setCode(Regex::REGEX_FAILED_ERROR)
+            ->assertRaised();
+    }
 }